Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Experts Live Europe 2019

Manuel Meyer
November 22, 2019
Programming
0
710

Experts Live Europe 2019

Saving secrets that your applications require in order to work properly has always been a challenge. In principle, it is very simple: Everything you need to keep secret need to be encrypted. We have the algorithms and procedures to do this on every platform we are using. The problem is that every time we encrypt a secret, we need a key. And the key must be kept secret as well! That means we should encrypt the key to keep it secret, right? What? This is a game that never ends! But Azure has an answer. In this session, we take a look at the Azure Key Vault offering and how you can use it to keep your secrets safe.

Manuel Meyer

November 22, 2019
Tweet

More Decks by Manuel Meyer

See All by Manuel Meyer
DWX2021 - Hier kommst Du ned rein. ASP.NET Core APIs und Angular Security mit Azure
manuelmeyer
0
1k
DWX2021: Open-Source Intelligenz (OSINT) mit Big Data auf Azure - Geht das?
manuelmeyer
0
630
DWX2021 - Wir prügeln den Monolithen ins Web
manuelmeyer
0
570
BASTA2021 Hybrid: Azure ist überwältigend. Wie finde ich mich da nur zurecht?
manuelmeyer
0
850
Dev Days 2020: Wir prügeln den Monolithen ins Web
manuelmeyer
0
550
Von WPF nach Angular in 60 Minuten
manuelmeyer
0
700
ExpertsLIVE Switzerland 2020: How not to get lost in Azure?
manuelmeyer
0
660
BASTA2020: Geheimniskrämerei in der Azure-Cloud mit dem Azure Key Vault
manuelmeyer
0
540
Taking Control over your APIs with Azure API Management
manuelmeyer
0
650

Other Decks in Programming

See All in Programming
ノーコードE2Eテストで実現する高速開発
nozomiito
0
230
マイクロサービス環境におけるToilを削減するTerraformの活用 in DMMプラットフォーム
pospome
1
230
Unveiling Nano Stores
ninoid
0
130
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
690
Effortless Software Development
afilina
PRO
1
120
わかる!Hashicorp Waypoint | HashiTalks: Japan2023
kazue
0
310
GDSC NYCU 2023 茶會
rabbitmagician1
1
320
Kotlinハイパフォーマンスプログラミング
ohmae
5
3.6k
組織のコード品質を向上させる “レビューシステム”の取り組み
pospome
9
5k
マイクロサービスの効率的な監視〜不安定な依存先との闘い〜
taowata
6
1.1k
まず Container より始めよ
honey32
10
4.5k
どうするLeSS - スクラムフェス三河2023.9.16
stanby_inc
1
210

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.4k
How to Ace a Technical Interview
jacobian
272
22k
Done Done
chrislema
178
15k
Product Roadmaps are Hard
iamctodd
42
8.8k
Intergalactic Javascript Robots from Outer Space
tanoku
263
26k
Happy Clients
brianwarren
92
6.1k
Practical Orchestrator
shlominoach
179
9.3k
Learning to Love Humans: Emotional Interface Design
aarron
265
38k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
BBQ
matthewcrist
76
8.4k
For a Future-Friendly Web
brad_frost
168
8.2k
What the flash - Photography Introduction
edds
64
11k

Transcript

  1. Psst. Top Secret!
    Keeping Secrets with
    Azure Key Vault
    Manuel Meyer
    Azure Architect, Trivadis AG
    www.manuelmeyer.net
    @manumeyer1

    View Slide

  2. View Slide

  3. View Slide

  4. Vulnerabilities
    „Bad Firewall
    Config“
    „Operating
    System Bugs“
    „Lazy Sysadmins“
    „Flawed Web
    Server Config“

    View Slide

  5. Applications
    83%
    Operating
    Systems13%
    Hardware 4%
    VULNERABILITY CLASSIFICATION

    View Slide

  6. https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

    View Slide

  7. 2 Problems:
    The User & the IT People

    View Slide

  8. The User

    View Slide

  9. My Approach (before)
    „If you use the same password everywhere = no good“
    1 Low Security Password: heybuddy24
    1 High Security Passwort: htowi_fle98dk$$+djk(43.

    View Slide

  10. My Approach (today)
    Keepass
    MFA.

    View Slide

  11. My Approach (today)
    qhjp7n0Qdnctw87G5cPg
    Lkjsdk32lkö2dlkj3klj%&/lkjs()
    slkjsEWeio***djfkl1109823lskjwJ

    Single Place for Passwords
    Auto-Complete
    439 entries.

    View Slide

  12. www.haveibeenpwned.com
    Troy Hunt

    View Slide

  13. View Slide

  14. Azure Key Vault in a Nutshell
    1. Store and protect “Secret Stuff”
    Keys, Secrets, Certificates
    2. “Provide” them to Cloud Apps and Services.

    View Slide

  15. Basics
    ▪ Key
    ▪ A cryptographic RSA key.
    ▪ Keys CAN NOT be read from KV.
    ▪ Apps must ask KV to encrypt, decrypt, sign
    ▪ Secret
    ▪ A sequence of bytes (under 25kb)
    ▪ Authorized users write secrets to KV
    ▪ Authorized apps read secrets from KV
    ▪ Certificate.

    View Slide

  16. Basics
    Management
    Plane
    Data Plane
    Manage the
    “Secret Stuff”
    “Work with the
    Secret Stuff”
    RBAC
    Access Policy

    View Slide

  17. Basics
    ▪ Software Protected Keys
    ▪ FIPS 140-2 Level 1
    ▪ HSM Protected Keys
    ▪ FIPS 140-2 Level 2
    10k Operations = 0.03 EUR
    Cert Renewal: 2.53 EUR
    HSM Keys: 0.84 EUR per Key
    HSM Advanced: 4.22 per Key.

    View Slide

  18. View Slide

  19. View Slide

  20. IaaS Disk Encryption
    1. In Key Vault Access Policies, allow Disk Encryption
    2. Create a Key
    3. Configure Disk Encryption on Virtual Machine
    4. Reboot.

    View Slide

  21. View Slide

  22. View Slide

  23. Digital Envelope, CEK, KEK, What???
    Source: Nilay Parikh, https://blog.nilayparikh.com/azure/development/best-practices-client-side-encryption-with-azure-storage-services/

    View Slide

  24. Demo: Client Side Storage Encryption
    1. Create a Storage Account (done)
    2. Create an Application to Upload a blob (Done: ClientSideEncryptionDemo)
    3. Register the Application in AAD (done)
    This creates a Service Principal (objectId, secret)
    4. Configure the Application to use Service Principal (done)
    5. Create a Key in Key Vault “ClientSideEncryptionKey”
    6. Use a KV Access Policy to allow the App to use the Key
    “ClientSideEncryptionKey”
    7. Run the Application.

    View Slide

  25. View Slide

  26. View Slide

  27. Lets write some code!
    App

    View Slide

  28. www.shhgit.darkport.co.uk

    View Slide

  29. Lets write some code!
    App

    View Slide

  30. Goal: Remove Secrets from config
    ▪ 1. Use a Service Principal
    Needs objectId and Secret from App Registration
    ▪ 2. Use a managed Identity (MSI)
    App Service supports MSI.

    View Slide

  31. Demo: Remove Secrets from App Config
    1. Create a Secret in KeyVault
    2. AppServivce: Enable Managed Identity (MSI)
    3. Key Vault: Add Access Policy for MSI
    4. Add Code to Request Secret from Key Vault.

    View Slide

  32. View Slide

  33. Recap
    ▪ Key Vaults store
    ▪ Keys: Can not leave Key Vault
    ▪ Secrets: Arbitrary strings
    ▪ Certificates: Certificates
    ▪ Secret Management via Management Plane (Portal, secured by AD RBAC)
    ▪ Secret Usage via Data Plane (REST API, Key Vault Access Policy)
    ▪ Scenarios
    ▪ Use Key Vault to enable IaaS Disk Encryption
    ▪ Use Key Vault to do Client Side Encryption for Storage
    ▪ Use Key Vault to keep secrets out of code with Managed Identity (MSI).

    View Slide

  34. Thank you!
    Manuel Meyer
    www.manuelmeyer.net
    @manumeyer1
    [email protected]

    View Slide