Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Experts Live Europe 2019

Manuel Meyer
November 22, 2019

Experts Live Europe 2019

Saving secrets that your applications require in order to work properly has always been a challenge. In principle, it is very simple: Everything you need to keep secret need to be encrypted. We have the algorithms and procedures to do this on every platform we are using. The problem is that every time we encrypt a secret, we need a key. And the key must be kept secret as well! That means we should encrypt the key to keep it secret, right? What? This is a game that never ends! But Azure has an answer. In this session, we take a look at the Azure Key Vault offering and how you can use it to keep your secrets safe.

Manuel Meyer

November 22, 2019
Tweet

More Decks by Manuel Meyer

Other Decks in Programming

Transcript

  1. Psst. Top Secret!
    Keeping Secrets with
    Azure Key Vault
    Manuel Meyer
    Azure Architect, Trivadis AG
    www.manuelmeyer.net
    @manumeyer1

    View Slide

  2. View Slide

  3. View Slide

  4. Vulnerabilities
    „Bad Firewall
    Config“
    „Operating
    System Bugs“
    „Lazy Sysadmins“
    „Flawed Web
    Server Config“

    View Slide

  5. Applications
    83%
    Operating
    Systems13%
    Hardware 4%
    VULNERABILITY CLASSIFICATION

    View Slide

  6. https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

    View Slide

  7. 2 Problems:
    The User & the IT People

    View Slide

  8. The User

    View Slide

  9. My Approach (before)
    „If you use the same password everywhere = no good“
    1 Low Security Password: heybuddy24
    1 High Security Passwort: htowi_fle98dk$$+djk(43.

    View Slide

  10. My Approach (today)
    Keepass
    MFA.

    View Slide

  11. My Approach (today)
    qhjp7n0Qdnctw87G5cPg
    Lkjsdk32lkö2dlkj3klj%&/lkjs()
    slkjsEWeio***djfkl1109823lskjwJ

    Single Place for Passwords
    Auto-Complete
    439 entries.

    View Slide

  12. www.haveibeenpwned.com
    Troy Hunt

    View Slide

  13. View Slide

  14. Azure Key Vault in a Nutshell
    1. Store and protect “Secret Stuff”
    Keys, Secrets, Certificates
    2. “Provide” them to Cloud Apps and Services.

    View Slide

  15. Basics
    ▪ Key
    ▪ A cryptographic RSA key.
    ▪ Keys CAN NOT be read from KV.
    ▪ Apps must ask KV to encrypt, decrypt, sign
    ▪ Secret
    ▪ A sequence of bytes (under 25kb)
    ▪ Authorized users write secrets to KV
    ▪ Authorized apps read secrets from KV
    ▪ Certificate.

    View Slide

  16. Basics
    Management
    Plane
    Data Plane
    Manage the
    “Secret Stuff”
    “Work with the
    Secret Stuff”
    RBAC
    Access Policy

    View Slide

  17. Basics
    ▪ Software Protected Keys
    ▪ FIPS 140-2 Level 1
    ▪ HSM Protected Keys
    ▪ FIPS 140-2 Level 2
    10k Operations = 0.03 EUR
    Cert Renewal: 2.53 EUR
    HSM Keys: 0.84 EUR per Key
    HSM Advanced: 4.22 per Key.

    View Slide

  18. View Slide

  19. View Slide

  20. IaaS Disk Encryption
    1. In Key Vault Access Policies, allow Disk Encryption
    2. Create a Key
    3. Configure Disk Encryption on Virtual Machine
    4. Reboot.

    View Slide

  21. View Slide

  22. View Slide

  23. Digital Envelope, CEK, KEK, What???
    Source: Nilay Parikh, https://blog.nilayparikh.com/azure/development/best-practices-client-side-encryption-with-azure-storage-services/

    View Slide

  24. Demo: Client Side Storage Encryption
    1. Create a Storage Account (done)
    2. Create an Application to Upload a blob (Done: ClientSideEncryptionDemo)
    3. Register the Application in AAD (done)
    This creates a Service Principal (objectId, secret)
    4. Configure the Application to use Service Principal (done)
    5. Create a Key in Key Vault “ClientSideEncryptionKey”
    6. Use a KV Access Policy to allow the App to use the Key
    “ClientSideEncryptionKey”
    7. Run the Application.

    View Slide

  25. View Slide

  26. View Slide

  27. Lets write some code!
    App

    View Slide

  28. www.shhgit.darkport.co.uk

    View Slide

  29. Lets write some code!
    App

    View Slide

  30. Goal: Remove Secrets from config
    ▪ 1. Use a Service Principal
    Needs objectId and Secret from App Registration
    ▪ 2. Use a managed Identity (MSI)
    App Service supports MSI.

    View Slide

  31. Demo: Remove Secrets from App Config
    1. Create a Secret in KeyVault
    2. AppServivce: Enable Managed Identity (MSI)
    3. Key Vault: Add Access Policy for MSI
    4. Add Code to Request Secret from Key Vault.

    View Slide

  32. View Slide

  33. Recap
    ▪ Key Vaults store
    ▪ Keys: Can not leave Key Vault
    ▪ Secrets: Arbitrary strings
    ▪ Certificates: Certificates
    ▪ Secret Management via Management Plane (Portal, secured by AD RBAC)
    ▪ Secret Usage via Data Plane (REST API, Key Vault Access Policy)
    ▪ Scenarios
    ▪ Use Key Vault to enable IaaS Disk Encryption
    ▪ Use Key Vault to do Client Side Encryption for Storage
    ▪ Use Key Vault to keep secrets out of code with Managed Identity (MSI).

    View Slide

  34. Thank you!
    Manuel Meyer
    www.manuelmeyer.net
    @manumeyer1
    [email protected]

    View Slide