Azure key vault
Download as PPTX, PDF3 likes2,671 views
Azure Key Vault is a cloud service that securely stores keys, secrets, and certificates. It allows storing cryptographic keys and secrets that applications and services use while keeping them safe from unauthorized access. Key Vault uses hardware security modules to encrypt keys and secrets. Typical applications would store secrets like connection strings in Key Vault rather than configuration files for improved security and management. Key Vault integrates with Azure Active Directory for authentication so applications can access secrets securely.
Azure key vault
- 1. Getting Started with Rahul P Nath Azure Key Vault
- 2. Azure Key Vault Cloud hosted, HSM(Hardware Security Modules)- backed service for managing cryptographic keys and other secrets
- 4. Azure Key Vault • Container of Objects • Cost is per Object operations $0.03 / 10,000 operations http://bit.ly/keyvaultpricing
- 5. Objects • Keys, Secrets and Certificates • Identifier https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}
- 6. Keys • RSA Keys (asymmetric public-private key cryptosystem) https://mytestvault.vault.azure.net/keys/mytestkey/cfedea84815e4ca8bc19cf8eb943ee13
- 8. Secrets • Octet sequences with no semantics • Connection Strings, Passwords etc. https://mytestvault.vault.azure.net/secrets/mytestsecret/dcerea54614e4ca7ge14cf2eb943dd45
- 9. Certificates • Import Existing Certificates, Self-signed or Enrol from Public Certificate Authority (DigiCert, GlobalSign and WoSign) https://mytestvault.vault.azure.net/certificates/mycertificate/cfedea84815e4ca8bc19cf8eb943ee13
- 10. Typical Application Scenario • Web Application, connects to a Database • Connection String is in configuration file
- 12. How Key Vault Fits in? • Cloud Hosted • Accessible over Web API
- 14. Demo • Create Key Vault and Secret
- 15. Key Vault Authentication • Azure Active Directory (AD) Application • Access Policies • Authenticate using Certificate or Secret
- 16. Demo • Create Key Vault and Secret • Create Azure AD Application • Consuming Secret
- 17. Key Vault and Development Cycle • Externalize into configuration Vault Url https://{keyvault-name}.vault.azure.net Value /{object-type}/{object-name}/{object-version} • Sensitive information is managed separately
Editor's Notes
- #3: Service is exposed over a REST API Supports Hardware and Software Keys
- #4: HSM Device, keys are stored on physical device
- #7: Private portion never leaves the boundary of the vault Sign/Verify (local) Encrypt (local)/Decrypt Wrap local)/Unwrap
- #12: Anyone that has access to config/servers To change a connection string you need to change in all applications that uses it.
- #16: Access Policies are at the Object type level – Keys, Secrets, Certificates To set policies at the key level will need to create different key vaults
- #18: Separate the Vault url and the object identifier part if you want to avoid repeating the URL. Admin can manage the sensitive information separately