Azure Key Vault is design to simplify the secrets, keys and certificates management. The secrets and keys can be protected by either software or FIPS (Federal Information Processing Standards) 140-2 level 2 validates HSMs (Hardware Security Modules).
If application is using Azure Key Vault then application developers do not need to store connection string and other keys in application source code. Keys and secrets are available at centralize location so distribution becomes quite easy and secure. Also, no extra coding effort is required to protect these Keys in Key Vault further.
Keys and secrets are protected using Industry-Standard algorithm, key length and HSMs. If an application requires a key then it has to authenticate and authorize. Authentication is performed through Azure Active Directory. Authorization is done using role-based access control or Key Vault access policy.
Access of keys and secrets from Key Vault can be monitor in Azure. The monitoring can be started by enabling logging for Key Vault. Key Vault can also be configure to archive to a storage account, stream to an event hub and feed the logs to Azure Monitor logs. The logs can be restricted to access based on the permission and if not required, can be archived as well.
It really simplifies application secrets administration. With Key Vault, replication of the contents is possible within a region and to a secondary region which helps during the application failover. Administration options are available using portal, Azure CLI and PowerShell.
Further, Key Vaults allow you to segregate application secrets. Applications may access only the vault that they are allowed to access. We can have a Key Vault per application. Key Vault can be integrated with Azure Disk Encryption, SQL server, Azure SQL Database and Azure App Service.
Key Vault Authentication
To perform any operation with Key Vault, authentication is must. Azure Key Vault supports three type of authentication.
- Managed Identity for Azure Resources
- Service principal and certificate
- Service principal and secrets
Key Vault Roles
- Developer for an Azure Application
- Developer for software as a service (SaaS)
- Chief Security Officer
An administrator can perform below operations to manage the Key Vault.
- Create/Import key or secret.
- Delete key or secret.
- Provide key vault access to users or applications
- Configure key usage
- Monitor key usage
Steps to create Key Vault using Azure portal
- Login to Azure Portal
- Go to All Services, search for Key Vaults, select it.
- Enter the basic details about Key Vault in basics tab and click on Review + Create
- If validation passes then click on Create. After couple of minute, key vault will create in the selected region with chosen pricing tire.
- There are two pricing tire in key vault, Standard and Premium( includes supports for HSM backed keys)
Once Key Vault is created that can be seen in azure resource group. The key vault one of the best way to secure keys and secrets.
Leave a Reply