I am not able to generate the DataProtectionKeyRing when I am storing it in the Azure Blob Storage and protecting it using Key vault key. Using UseCookieAuthentication middleare for authentication. Only storing it on Azure Blob Storage works but protecting it using key vault not generating the key in blob storage. My application is in .Net 4.8. I am using the Azure.Extensions.AspNetCore.DataProtection.Keys nuget package.
I tried all the overloads of the ProtectKeysWithAzureKeyVault but non of them creating the key on blob storage.
Related
I have to configure RSA HSM Public and private key in the azure key vault and save the data in encrypted form.
For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. The HSMs are FIPS 140-2 Level 2 validated. Azure Key Vault uses nCipher nShield family of HSMs to protect your keys.
More information about generating and transferring an HSM-protected key over the Internet:
You generate the key from an offline workstation, which reduces the attack surface.
The key is encrypted with a Key Exchange Key (KEK), which stays encrypted until it is transferred to the Azure Key Vault HSMs. Only the encrypted version of your key leaves the original workstation.
The toolset sets properties on your tenant key that binds your key to the Azure Key Vault security world. So after the Azure Key Vault HSMs receive and decrypt your key, only these HSMs can use it. Your key cannot be exported. This binding is enforced by the nCipher HSMs.
The Key Exchange Key (KEK) that is used to encrypt your key is generated inside the Azure Key Vault HSMs and is not exportable. The HSMs enforce that there can be no clear version of the KEK outside the HSMs. In addition, the toolset includes attestation from nCipher that the KEK is not exportable and was generated inside a genuine HSM that was manufactured by nCipher.
The toolset includes attestation from nCipher that the Azure Key Vault security world was also generated on a genuine HSM manufactured by nCipher. This attestation proves to you that Microsoft is using genuine hardware.
Microsoft uses separate KEKs and separate Security Worlds in each geographical region. This separation ensures that your key can be used only in data centers in the region in which you encrypted it. For example, a key from a European customer cannot be used in data centers in North American or Asia.
For implementing bring your own key (BYOK) , please visit here
Hope it helps.
My current customer has secrets stored in Blob Storage and we want to propose them to migrate to KeyVault. May I know what are the benefits or storing secrets into KeyVault as compared to Blob?
When I read the documentation, KeyVault uses the HSM to protect the keys and secrets but Blob also uses the encryption which is also secure. so what are the other advantages?
I'd say that in general they look very similar, however I'd say the most important difference between the two would be the authorization model.
Access to a storage account is done by one of the two available connectionstrings/keys. Access to a KeyVault can be assigned directly to users or groups (from AAD) and the access to resources within the Key vault can be configured with more granularity. Next to that it is very easy to limit the type of resources from within azure that may or may not retrieve data from a KeyVault, reducing the attack service.
Storage accounts do have AAD integration currently in preview, but what i gather is that that is mostly focusing on the Azure file share functionality (https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview).
Another nice differentiation is definitely the integrations that are already available when using KeyVault (i.e. Retrieving Azure DevOps secrets directly from a KeyVault or automatically retrieving Certificates for VMs)
FYI, i'm by no means a KeyVault expert but that's just my 2 cents :)
Any idea if store and retrieval (export the symmetric key out of keyvault) of symmetric keys is supported in Azure Kev vault or possible? I referenced Azure Keyvault documents here and it mentions the Symmetric keys are not supported and may be supported in future (not sure though if the documentation I read is current).
If it’s not supported, is there a way to simulate this using other interfaces like Secrets? Could you share a sample code to do this using Azure Keyvault REST API?
You are right about storing the symmetric keys as secrets.
REST API
Here is a detailed article around the code involved to do this using REST API
http://thuansoldier.net/7329/
.NET SDK
Here is the nuget package
https://www.nuget.org/packages/Microsoft.Azure.KeyVault/
You can use the KeyVaultClient class and GetSecretAsync method.
Here is an example on Microsoft Docs - https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
Similar SDKs are available for Node.js, Java and Python
I need to use webdav in my application but i have one question which is related to azure blob storage support.
Is it possible to integrate azure blob storage with webdav?
With EngineYard recently adding Azure's IAAS in their bucket, one of our client is deciding to migrate to Azure blob storage.
In the application, we are using predefined S3 data store settings for dragonfly and in there, other settings are available for various cloud services as well.
Has anyone implemented dragonfly's data store for Azure blob storage?