Looking for guidance on what items to store in a simple configuration file versus an Azure Key Vault?
For example, an SQL Database name should be stored in a configuration file while its password should be stored in a KeyVault. Is this correct?
Should there be a key vault for each environment (I think not) or simply one for production and one for non-production?
Yes, you can just store the password of SQL Database in azure key vault and store the database name in configuration file, or we can store the whole connection string of the database in azure key vault.
For your second question about should there be a key vault for each environment, I think it's unnecessary for us to create multiple key vault for each environment, you can just separate them with several different names in one key vault.
Anything that should be protected (passwords, certs, API keys, etc..) should be in a Key Vault and have strict access policies assigned to it.
Agree with Hury on the first half; however, disagree on the one key vault for all environments. Different access policies will be applied for different environments.
Your developers may want access to the Key Vault for the dev credentials. As such they'd have an access policy to the dev Key Vault. I would not want to grant them access to a production Key Vault, which would give them access to all the keys in it.
Key Vault is a globally available resource. So if you have multiple instances in different regions connecting that is fine as you wouldn't need to have a separate Key Vault in a different region from a disaster recovery and availability standpoint.
Here is a similar quesiton and also link to Microsoft best practices which supports this
Related
How do you manage clientId and clientCredentials of an OIDC(or OAuth2) application's deployment consisting of multiple instances fronted by let's say an L7 load balancer ?
Do you maintain separate clientId/clientCredential for each application instance ?
If yes, how do you manage clientId/clientCredentials for dynamically provisioned instance (E.g. Kubernetes/AWS adding a new application instance in response to a health check failure or a scale-out event)
If you share clientId/clientCredentials across multiple application instances,Isn't that violating the basic rule (i.e. 'secret' is no longer a secret anymore) ?
Also, Compromise of any individual instance by potential attackers, kind of impacts the entire deployment.
If you share clientId/clientCredentials across multiple application
instances,Isn't that violating the basic rule (i.e. 'secret' is no
longer a secret anymore)
Instead of using the secret, you can leverage the Hashicorp Vault which will store and inject the environment variable to the deployment. You can implement encryption at rest and other security options like RBAC on vault UI access.
Yes, secret is base64 encoded not encrypted if you have a large team managing a cluster and RBAC is not set everyone having access to the cluster will be able to decode the secret.
Read more about the has corp vault : https://www.vaultproject.io/
With Kubernetes : https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-raft-deployment-guide?in=vault%2Fkubernetes
Once the vault is set and you have created the secret into it with values you can refer my answer for more details injecting the secret to deployment : https://stackoverflow.com/a/73046067/5525824
I have a load-balanced web app that has two app services, one for east and one for west. An issue has been occurring where AntiForgeryTokens are not being decrypted properly, and in my research this seems to be due to mismatched machinekeys which were automatically generated at runtime on the two app services.
The obvious solution here is to add the machinekey parameter to the web.config in both instances, so the decryption keys are the same.
My issue however, comes from the fact that our repo does not allow any sort of secrets within the repository. Instead, we are required to use Azure Key Vault and dynamically load in the values as the app starts.
My question, is how do I solve this problem without relying on storing secret values in the web.config file? I've tried searching for dynamically setting the decryption key, to no avail. Apologies if this is a common issue.
For application running on windows app service, you can use the settings described here:
It will allow you to inject the same machine key values for all your app services.
IF you enable managed identity, you could store the machine values in key vault and use key vault reference in the app service app settings:
#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
My current customer has secrets stored in Blob Storage and we want to propose them to migrate to KeyVault. May I know what are the benefits or storing secrets into KeyVault as compared to Blob?
When I read the documentation, KeyVault uses the HSM to protect the keys and secrets but Blob also uses the encryption which is also secure. so what are the other advantages?
I'd say that in general they look very similar, however I'd say the most important difference between the two would be the authorization model.
Access to a storage account is done by one of the two available connectionstrings/keys. Access to a KeyVault can be assigned directly to users or groups (from AAD) and the access to resources within the Key vault can be configured with more granularity. Next to that it is very easy to limit the type of resources from within azure that may or may not retrieve data from a KeyVault, reducing the attack service.
Storage accounts do have AAD integration currently in preview, but what i gather is that that is mostly focusing on the Azure file share functionality (https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview).
Another nice differentiation is definitely the integrations that are already available when using KeyVault (i.e. Retrieving Azure DevOps secrets directly from a KeyVault or automatically retrieving Certificates for VMs)
FYI, i'm by no means a KeyVault expert but that's just my 2 cents :)
I'm receiving a secret encrypted with Key A, and need to send it somewhere else encrypted under Key B.
Both keys can be symmetric or asymmetric - but I'd like to achieve this within the vault itself (first prize) - (avoiding a decrypt, having the secret in the clear, then an encrypt).
Is this possible with Azure Key Vault? If not, any workarounds?
Thanks.
As far as I am aware, at this point in time, it is not possible with the current Key Vault API's. The way I think of Key Vault at this point in time is it's just a tailored service for storing and gaining access to Keys, Secrets, Certificates and managing applications and users that can access them (with some fancy bits on top).
You will need to decrypt and re-encrypt somewhere outside of Key Vault.
One possible workaround though given you are in Azure is to create an Azure Function to do this work. At least then the process of the translation happens inside an isolated Function context (in Azure). The beauty of using an Azure Function is that you could do this with minimal code and without a full application, but you would need to ensure that Function can only be utilised by you.
A possible workflow could be:
1) If Key A is not in Key Vault, upload it.
2) If Key B is not in Key Vault, upload it.
3) Run Azure Function with inputs for Key Vault identifiers for Key A, Key B and A(Secret). Do the conversion and then the Function could store B(Secret) in Key Vault (or another Key Vault if you have access to one).
Alternatively it could just output the new encrypted secret.
C# Key Vault Client:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
An example of Azure Function and Key Vault in C# for reference: http://www.rahulpnath.com/blog/azure-key-vault-from-azure-functions/
I am doing some initial research and I am unable to find a clear answer for my problem. The plan is to have multiple environments, (i.e. Dev, Prod, and QA) would I need to have a new instance of Azure Key Vaults for each environment or would I just be able to share the data between them?
I would rather advise to use separate Key Vault instances for the different environments. You can avoid "mixing" secrets across environments by mistake and you have clear separation.
Microsoft officially recommends this approach too:
Our recommendation is to use a vault per application per environment (Development, Pre-Production and Production).
You can read more in the official documentation
Multiple resources/entities can access a single Key Vault instance - provided they're all in the same location (data centre).
You may choose to segment your keys, secrets and certificates, either by placing them in different Key Vaults or by using different access methods/identities, however that's not necessary.
The only time you need a separate Key Vault instance is when the resources/entities accessing it are in another location (data centre/region).
It's worth noting that you don't need to worry too much about provisioning Disaster Recovery for resources using Key Vault, as the SLA Microsoft provide is unsurprisingly good: https://learn.microsoft.com/en-gb/azure/key-vault/key-vault-disaster-recovery-guidance. One caveat to that would be if you're running IaaS/PaaS instances and want to run a DR fail-over yourself to another data centre, at which point you'd need to manually migrate the keys/secrets/certificates in your main Key Vault into another instance (and re-point your VMs accordingly)