Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Experts Live Europe 2019

Manuel Meyer
November 22, 2019

Experts Live Europe 2019

Saving secrets that your applications require in order to work properly has always been a challenge. In principle, it is very simple: Everything you need to keep secret need to be encrypted. We have the algorithms and procedures to do this on every platform we are using. The problem is that every time we encrypt a secret, we need a key. And the key must be kept secret as well! That means we should encrypt the key to keep it secret, right? What? This is a game that never ends! But Azure has an answer. In this session, we take a look at the Azure Key Vault offering and how you can use it to keep your secrets safe.

Manuel Meyer

November 22, 2019

More Decks by Manuel Meyer

Other Decks in Programming


  1. Psst. Top Secret! Keeping Secrets with Azure Key Vault Manuel

    Meyer Azure Architect, Trivadis AG www.manuelmeyer.net @manumeyer1
  2. None
  3. None
  4. Vulnerabilities „Bad Firewall Config“ „Operating System Bugs“ „Lazy Sysadmins“ „Flawed

    Web Server Config“
  5. Applications 83% Operating Systems13% Hardware 4% VULNERABILITY CLASSIFICATION

  6. https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

  7. 2 Problems: The User & the IT People

  8. The User

  9. My Approach (before) „If you use the same password everywhere

    = no good“ 1 Low Security Password: heybuddy24 1 High Security Passwort: htowi_fle98dk$$+djk(43.
  10. My Approach (today) Keepass MFA.

  11. My Approach (today) qhjp7n0Qdnctw87G5cPg Lkjsdk32lkö2dlkj3klj%&/lkjs() slkjsEWeio***djfkl1109823lskjwJ … Single Place for

    Passwords Auto-Complete 439 entries.
  12. www.haveibeenpwned.com Troy Hunt

  13. None
  14. Azure Key Vault in a Nutshell 1. Store and protect

    “Secret Stuff” Keys, Secrets, Certificates 2. “Provide” them to Cloud Apps and Services.
  15. Basics ▪ Key ▪ A cryptographic RSA key. ▪ Keys

    CAN NOT be read from KV. ▪ Apps must ask KV to encrypt, decrypt, sign ▪ Secret ▪ A sequence of bytes (under 25kb) ▪ Authorized users write secrets to KV ▪ Authorized apps read secrets from KV ▪ Certificate.
  16. Basics Management Plane Data Plane Manage the “Secret Stuff” “Work

    with the Secret Stuff” RBAC Access Policy
  17. Basics ▪ Software Protected Keys ▪ FIPS 140-2 Level 1

    ▪ HSM Protected Keys ▪ FIPS 140-2 Level 2 10k Operations = 0.03 EUR Cert Renewal: 2.53 EUR HSM Keys: 0.84 EUR per Key HSM Advanced: 4.22 per Key.
  18. None
  19. None
  20. IaaS Disk Encryption 1. In Key Vault Access Policies, allow

    Disk Encryption 2. Create a Key 3. Configure Disk Encryption on Virtual Machine 4. Reboot.
  21. None
  22. None
  23. Digital Envelope, CEK, KEK, What??? Source: Nilay Parikh, https://blog.nilayparikh.com/azure/development/best-practices-client-side-encryption-with-azure-storage-services/

  24. Demo: Client Side Storage Encryption 1. Create a Storage Account

    (done) 2. Create an Application to Upload a blob (Done: ClientSideEncryptionDemo) 3. Register the Application in AAD (done) This creates a Service Principal (objectId, secret) 4. Configure the Application to use Service Principal (done) 5. Create a Key in Key Vault “ClientSideEncryptionKey” 6. Use a KV Access Policy to allow the App to use the Key “ClientSideEncryptionKey” 7. Run the Application.
  25. None
  26. None
  27. Lets write some code! App

  28. www.shhgit.darkport.co.uk

  29. Lets write some code! App

  30. Goal: Remove Secrets from config ▪ 1. Use a Service

    Principal Needs objectId and Secret from App Registration ▪ 2. Use a managed Identity (MSI) App Service supports MSI.
  31. Demo: Remove Secrets from App Config 1. Create a Secret

    in KeyVault 2. AppServivce: Enable Managed Identity (MSI) 3. Key Vault: Add Access Policy for MSI 4. Add Code to Request Secret from Key Vault.
  32. None
  33. Recap ▪ Key Vaults store ▪ Keys: Can not leave

    Key Vault ▪ Secrets: Arbitrary strings ▪ Certificates: Certificates ▪ Secret Management via Management Plane (Portal, secured by AD RBAC) ▪ Secret Usage via Data Plane (REST API, Key Vault Access Policy) ▪ Scenarios ▪ Use Key Vault to enable IaaS Disk Encryption ▪ Use Key Vault to do Client Side Encryption for Storage ▪ Use Key Vault to keep secrets out of code with Managed Identity (MSI).
  34. Thank you! Manuel Meyer www.manuelmeyer.net @manumeyer1 [email protected]