Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Experts Live Europe 2019

Manuel Meyer
November 22, 2019

Experts Live Europe 2019

Saving secrets that your applications require in order to work properly has always been a challenge. In principle, it is very simple: Everything you need to keep secret need to be encrypted. We have the algorithms and procedures to do this on every platform we are using. The problem is that every time we encrypt a secret, we need a key. And the key must be kept secret as well! That means we should encrypt the key to keep it secret, right? What? This is a game that never ends! But Azure has an answer. In this session, we take a look at the Azure Key Vault offering and how you can use it to keep your secrets safe.

Manuel Meyer

November 22, 2019
Tweet

More Decks by Manuel Meyer

Other Decks in Programming

Transcript

  1. Psst. Top Secret!
    Keeping Secrets with
    Azure Key Vault
    Manuel Meyer
    Azure Architect, Trivadis AG
    www.manuelmeyer.net
    @manumeyer1

    View full-size slide

  2. Vulnerabilities
    „Bad Firewall
    Config“
    „Operating
    System Bugs“
    „Lazy Sysadmins“
    „Flawed Web
    Server Config“

    View full-size slide

  3. Applications
    83%
    Operating
    Systems13%
    Hardware 4%
    VULNERABILITY CLASSIFICATION

    View full-size slide

  4. https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

    View full-size slide

  5. 2 Problems:
    The User & the IT People

    View full-size slide

  6. My Approach (before)
    „If you use the same password everywhere = no good“
    1 Low Security Password: heybuddy24
    1 High Security Passwort: htowi_fle98dk$$+djk(43.

    View full-size slide

  7. My Approach (today)
    Keepass
    MFA.

    View full-size slide

  8. My Approach (today)
    qhjp7n0Qdnctw87G5cPg
    Lkjsdk32lkö2dlkj3klj%&/lkjs()
    slkjsEWeio***djfkl1109823lskjwJ

    Single Place for Passwords
    Auto-Complete
    439 entries.

    View full-size slide

  9. www.haveibeenpwned.com
    Troy Hunt

    View full-size slide

  10. Azure Key Vault in a Nutshell
    1. Store and protect “Secret Stuff”
    Keys, Secrets, Certificates
    2. “Provide” them to Cloud Apps and Services.

    View full-size slide

  11. Basics
    ▪ Key
    ▪ A cryptographic RSA key.
    ▪ Keys CAN NOT be read from KV.
    ▪ Apps must ask KV to encrypt, decrypt, sign
    ▪ Secret
    ▪ A sequence of bytes (under 25kb)
    ▪ Authorized users write secrets to KV
    ▪ Authorized apps read secrets from KV
    ▪ Certificate.

    View full-size slide

  12. Basics
    Management
    Plane
    Data Plane
    Manage the
    “Secret Stuff”
    “Work with the
    Secret Stuff”
    RBAC
    Access Policy

    View full-size slide

  13. Basics
    ▪ Software Protected Keys
    ▪ FIPS 140-2 Level 1
    ▪ HSM Protected Keys
    ▪ FIPS 140-2 Level 2
    10k Operations = 0.03 EUR
    Cert Renewal: 2.53 EUR
    HSM Keys: 0.84 EUR per Key
    HSM Advanced: 4.22 per Key.

    View full-size slide

  14. IaaS Disk Encryption
    1. In Key Vault Access Policies, allow Disk Encryption
    2. Create a Key
    3. Configure Disk Encryption on Virtual Machine
    4. Reboot.

    View full-size slide

  15. Digital Envelope, CEK, KEK, What???
    Source: Nilay Parikh, https://blog.nilayparikh.com/azure/development/best-practices-client-side-encryption-with-azure-storage-services/

    View full-size slide

  16. Demo: Client Side Storage Encryption
    1. Create a Storage Account (done)
    2. Create an Application to Upload a blob (Done: ClientSideEncryptionDemo)
    3. Register the Application in AAD (done)
    This creates a Service Principal (objectId, secret)
    4. Configure the Application to use Service Principal (done)
    5. Create a Key in Key Vault “ClientSideEncryptionKey”
    6. Use a KV Access Policy to allow the App to use the Key
    “ClientSideEncryptionKey”
    7. Run the Application.

    View full-size slide

  17. Lets write some code!
    App

    View full-size slide

  18. www.shhgit.darkport.co.uk

    View full-size slide

  19. Lets write some code!
    App

    View full-size slide

  20. Goal: Remove Secrets from config
    ▪ 1. Use a Service Principal
    Needs objectId and Secret from App Registration
    ▪ 2. Use a managed Identity (MSI)
    App Service supports MSI.

    View full-size slide

  21. Demo: Remove Secrets from App Config
    1. Create a Secret in KeyVault
    2. AppServivce: Enable Managed Identity (MSI)
    3. Key Vault: Add Access Policy for MSI
    4. Add Code to Request Secret from Key Vault.

    View full-size slide

  22. Recap
    ▪ Key Vaults store
    ▪ Keys: Can not leave Key Vault
    ▪ Secrets: Arbitrary strings
    ▪ Certificates: Certificates
    ▪ Secret Management via Management Plane (Portal, secured by AD RBAC)
    ▪ Secret Usage via Data Plane (REST API, Key Vault Access Policy)
    ▪ Scenarios
    ▪ Use Key Vault to enable IaaS Disk Encryption
    ▪ Use Key Vault to do Client Side Encryption for Storage
    ▪ Use Key Vault to keep secrets out of code with Managed Identity (MSI).

    View full-size slide

  23. Thank you!
    Manuel Meyer
    www.manuelmeyer.net
    @manumeyer1
    [email protected]

    View full-size slide