Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Experts Live Europe 2019

Manuel Meyer
November 22, 2019

Experts Live Europe 2019

Saving secrets that your applications require in order to work properly has always been a challenge. In principle, it is very simple: Everything you need to keep secret need to be encrypted. We have the algorithms and procedures to do this on every platform we are using. The problem is that every time we encrypt a secret, we need a key. And the key must be kept secret as well! That means we should encrypt the key to keep it secret, right? What? This is a game that never ends! But Azure has an answer. In this session, we take a look at the Azure Key Vault offering and how you can use it to keep your secrets safe.

Manuel Meyer

November 22, 2019

More Decks by Manuel Meyer

Other Decks in Programming


  1. Psst. Top Secret! Keeping Secrets with Azure Key Vault Manuel

    Meyer Azure Architect, Trivadis AG www.manuelmeyer.net @manumeyer1
  2. My Approach (before) „If you use the same password everywhere

    = no good“ 1 Low Security Password: heybuddy24 1 High Security Passwort: htowi_fle98dk$$+djk(43.
  3. Azure Key Vault in a Nutshell 1. Store and protect

    “Secret Stuff” Keys, Secrets, Certificates 2. “Provide” them to Cloud Apps and Services.
  4. Basics ▪ Key ▪ A cryptographic RSA key. ▪ Keys

    CAN NOT be read from KV. ▪ Apps must ask KV to encrypt, decrypt, sign ▪ Secret ▪ A sequence of bytes (under 25kb) ▪ Authorized users write secrets to KV ▪ Authorized apps read secrets from KV ▪ Certificate.
  5. Basics ▪ Software Protected Keys ▪ FIPS 140-2 Level 1

    ▪ HSM Protected Keys ▪ FIPS 140-2 Level 2 10k Operations = 0.03 EUR Cert Renewal: 2.53 EUR HSM Keys: 0.84 EUR per Key HSM Advanced: 4.22 per Key.
  6. IaaS Disk Encryption 1. In Key Vault Access Policies, allow

    Disk Encryption 2. Create a Key 3. Configure Disk Encryption on Virtual Machine 4. Reboot.
  7. Demo: Client Side Storage Encryption 1. Create a Storage Account

    (done) 2. Create an Application to Upload a blob (Done: ClientSideEncryptionDemo) 3. Register the Application in AAD (done) This creates a Service Principal (objectId, secret) 4. Configure the Application to use Service Principal (done) 5. Create a Key in Key Vault “ClientSideEncryptionKey” 6. Use a KV Access Policy to allow the App to use the Key “ClientSideEncryptionKey” 7. Run the Application.
  8. Goal: Remove Secrets from config ▪ 1. Use a Service

    Principal Needs objectId and Secret from App Registration ▪ 2. Use a managed Identity (MSI) App Service supports MSI.
  9. Demo: Remove Secrets from App Config 1. Create a Secret

    in KeyVault 2. AppServivce: Enable Managed Identity (MSI) 3. Key Vault: Add Access Policy for MSI 4. Add Code to Request Secret from Key Vault.
  10. Recap ▪ Key Vaults store ▪ Keys: Can not leave

    Key Vault ▪ Secrets: Arbitrary strings ▪ Certificates: Certificates ▪ Secret Management via Management Plane (Portal, secured by AD RBAC) ▪ Secret Usage via Data Plane (REST API, Key Vault Access Policy) ▪ Scenarios ▪ Use Key Vault to enable IaaS Disk Encryption ▪ Use Key Vault to do Client Side Encryption for Storage ▪ Use Key Vault to keep secrets out of code with Managed Identity (MSI).