Slide 1
Slide 1 text
Psst. Top Secret!
Keeping Secrets with
Azure Key Vault
Manuel Meyer
Azure Architect, Trivadis AG
www.manuelmeyer.net
@manumeyer1
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
Vulnerabilities
„Bad Firewall
Config“
„Operating
System Bugs“
„Lazy Sysadmins“
„Flawed Web
Server Config“
Slide 5
Slide 5 text
Applications
83%
Operating
Systems13%
Hardware 4%
VULNERABILITY CLASSIFICATION
Slide 6
Slide 6 text
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Slide 7
Slide 7 text
2 Problems:
The User & the IT People
Slide 8
Slide 8 text
The User
Slide 9
Slide 9 text
My Approach (before)
„If you use the same password everywhere = no good“
1 Low Security Password: heybuddy24
1 High Security Passwort: htowi_fle98dk$$+djk(43.
Slide 10
Slide 10 text
My Approach (today)
Keepass
MFA.
Slide 11
Slide 11 text
My Approach (today)
qhjp7n0Qdnctw87G5cPg
Lkjsdk32lkö2dlkj3klj%&/lkjs()
slkjsEWeio***djfkl1109823lskjwJ
…
Single Place for Passwords
Auto-Complete
439 entries.
Slide 12
Slide 12 text
www.haveibeenpwned.com
Troy Hunt
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
Azure Key Vault in a Nutshell
1. Store and protect “Secret Stuff”
Keys, Secrets, Certificates
2. “Provide” them to Cloud Apps and Services.
Slide 15
Slide 15 text
Basics
▪ Key
▪ A cryptographic RSA key.
▪ Keys CAN NOT be read from KV.
▪ Apps must ask KV to encrypt, decrypt, sign
▪ Secret
▪ A sequence of bytes (under 25kb)
▪ Authorized users write secrets to KV
▪ Authorized apps read secrets from KV
▪ Certificate.
Slide 16
Slide 16 text
Basics
Management
Plane
Data Plane
Manage the
“Secret Stuff”
“Work with the
Secret Stuff”
RBAC
Access Policy
Slide 17
Slide 17 text
Basics
▪ Software Protected Keys
▪ FIPS 140-2 Level 1
▪ HSM Protected Keys
▪ FIPS 140-2 Level 2
10k Operations = 0.03 EUR
Cert Renewal: 2.53 EUR
HSM Keys: 0.84 EUR per Key
HSM Advanced: 4.22 per Key.
Slide 18
Slide 18 text
No content
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
IaaS Disk Encryption
1. In Key Vault Access Policies, allow Disk Encryption
2. Create a Key
3. Configure Disk Encryption on Virtual Machine
4. Reboot.
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
Digital Envelope, CEK, KEK, What???
Source: Nilay Parikh, https://blog.nilayparikh.com/azure/development/best-practices-client-side-encryption-with-azure-storage-services/
Slide 24
Slide 24 text
Demo: Client Side Storage Encryption
1. Create a Storage Account (done)
2. Create an Application to Upload a blob (Done: ClientSideEncryptionDemo)
3. Register the Application in AAD (done)
This creates a Service Principal (objectId, secret)
4. Configure the Application to use Service Principal (done)
5. Create a Key in Key Vault “ClientSideEncryptionKey”
6. Use a KV Access Policy to allow the App to use the Key
“ClientSideEncryptionKey”
7. Run the Application.
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
Lets write some code!
App
Slide 28
Slide 28 text
www.shhgit.darkport.co.uk
Slide 29
Slide 29 text
Lets write some code!
App
Slide 30
Slide 30 text
Goal: Remove Secrets from config
▪ 1. Use a Service Principal
Needs objectId and Secret from App Registration
▪ 2. Use a managed Identity (MSI)
App Service supports MSI.
Slide 31
Slide 31 text
Demo: Remove Secrets from App Config
1. Create a Secret in KeyVault
2. AppServivce: Enable Managed Identity (MSI)
3. Key Vault: Add Access Policy for MSI
4. Add Code to Request Secret from Key Vault.
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
Recap
▪ Key Vaults store
▪ Keys: Can not leave Key Vault
▪ Secrets: Arbitrary strings
▪ Certificates: Certificates
▪ Secret Management via Management Plane (Portal, secured by AD RBAC)
▪ Secret Usage via Data Plane (REST API, Key Vault Access Policy)
▪ Scenarios
▪ Use Key Vault to enable IaaS Disk Encryption
▪ Use Key Vault to do Client Side Encryption for Storage
▪ Use Key Vault to keep secrets out of code with Managed Identity (MSI).