Downloaded 10 times
Uploaded byRahul Nath
Azure key vault - Brisbane User Group
This document provides an overview of Azure Key Vault, a cloud service for securely storing and accessing secrets. It discusses how Key Vault can be used to store encryption keys, passwords, and certificates. Key Vault uses hardware security modules to cryptographically protect secrets and can be accessed via REST APIs. The document demonstrates how to create a Key Vault, add a secret, and consume that secret from an application using either a service principal or managed service identity.
More Related Content
Similar to Azure key vault - Brisbane User Group
![[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud](https://cdn.slidesharecdn.com/ss_thumbnails/fs0fswrr36f3q9puu3u6-signature-d4523b3bf020616e67040d2a940ba8bf9aeab187b20da49956548f98de22ea12-poli-180606121949-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-digitalaccessibilitywhydevelopersneedtoknowandcarein2025-251127011019-0674441d-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels](https://cdn.slidesharecdn.com/ss_thumbnails/md-exploringappleson-devicefoundationmodels-251124030840-d690542c-thumbnail.jpg?width=640&height=640&fit=bounds)
Azure key vault - Brisbane User Group
- 2. Getting Started with RahulP Nath @rahulpnath https://www.rahulpnath.com Azure Key Vault
- 3. “There are onlytwo types of companies: Those that have been hacked and those that will be hacked.” Robert S. Mueller FBI Director, 2012
- 4. “There are onlytwo types of companies: Those that have been hacked and those that don’t know they have been hacked.”
- 5.
- 6.
- 8.
- 9. Azure Key Vault Cloudhosted, HSM(Hardware Security Modules)- backed service for managing cryptographic keys and other secrets
- 11. Azure Key Vault •Container of Objects • Cost is per Object operations $0.03 / 10,000 operations http://bit.ly/keyvaultpricing
- 12. Objects • Keys, Secretsand Certificates • Identifier https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}
- 13. Objects • Keys, Secretsand Certificates • Identifier https://{keyvault-name}.vault.azure.net/{object-type}/{object-name}/{object-version} Keys Secrets Certificates
- 14. Keys • RSA Keys(asymmetric public-private key cryptosystem) https://mytestvault.vault.azure.net/keys/mytestkey/cfedea84815e4ca8bc19cf8eb943ee13
- 16. Secrets • Octet sequenceswith no semantics • Max 25k bytes each • Connection Strings, Passwords etc. https://mytestvault.vault.azure.net/secrets/mytestsecret/dcerea54614e4ca7ge14cf2eb943dd45
- 17. Certificates • Import ExistingCertificates • Self-signed or Enrol from Public Certificate Authority (DigiCert, GlobalSign and WoSign) https://mytestvault.vault.azure.net/certificates/mycertificate/cfedea84815e4ca8bc19cf8eb943ee13
- 19. Typical Application Scenario •Web Application, connects to a Database • Connection String is in configuration file
- 20.
- 21. How Key VaultFits in? • Cloud Hosted • Accessible over Web API
- 23. Demo • Create KeyVault and Secret
- 24. Key Vault Authentication •Azure Active Directory (AD) Application • Access Policies • Authenticate using Certificate or Secret
- 26. Demo • Create KeyVault and Secret • Create Azure AD Application • Consuming Secret
- 27.
- 28. MSI (Code Changes) varazureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallba ck)); AzureServicesAuthConnectionString RunAs=App;AppId=AppId;TenantId=TenantId;AppKey=Secret. RunAs=App;AppId=AppId;TenantId=TenantId;CertificateThumbprint=Thumbprint;CertificateStoreLocation=CurrentUser
- 29. Key Vault andDevelopment Cycle • Externalize into configuration Vault Url https://{keyvault-name}.vault.azure.net Value /{object-type}/{object-name}/{object-version} • Sensitive information is managed separately
- 31. Visual Studio ConnectedServices
- 32. Further Reading • AzureKey Vault Documentation • Blog • SQL Server Connector for Microsoft Azure Key Vault
- 33.
Editor's Notes
- #2 Story 1 There is a Zen teaching story about a student who comes to the Master and tells him "I'm getting really bored with just feeling my breath coming in and going out all the time. Don't you have a meditation that is more exciting?" The Zen Master replied, "Yes. You are now ready for a greater teaching. Follow me." With that, the Master led the student into a courtyard where there was a large barrel of water. "Gaze into the barrel," said the Master. As the student leaned over and looked in, the Zen Master suddenly pushed the student's head into the water. The Master was quite strong, and he was able to hold the student under the water for quite a while, even though the student struggled desperately. Finally, the Master let the student come up for air, and as the student gasped the Master asked, "So... is that breath boring?“ Story 2 https://www.psychologytoday.com/au/blog/the-dance-connection/201503/unforgettable-zen-story-about-letting-go Two traveling monks reached a town where there was a young woman waiting to step out of her sedan chair. The rains had made deep puddles and she couldn’t step across without spoiling her silken robes. She stood there, looking very cross and impatient. She was scolding her attendants. They had nowhere to place the packages they held for her, so they couldn’t help her across the puddle. The younger monk noticed the woman, said nothing, and walked by. The older monk quickly picked her up and put her on his back, transported her across the water, and put her down on the other side. She didn’t thank the older monk, she just shoved him out of the way and departed. As they continued on their way, the young monk was brooding and preoccupied. After several hours, unable to hold his silence, he spoke out. “That woman back there was very selfish and rude, but you picked her up on your back and carried her! Then she didn’t even thank you! “I set the woman down hours ago,” the older monk replied. “Why are you still carrying her?”
- #6 Lots of reasons for applications ending up in here – Not updating patches, publicly exposed backups, XSS vulnerabilities, connection strings etc.
- #7 This was A6 in year 2013 – Moved higher in the list
- #8 Lots of places where we expose application specific sensitive information Google dorks
- #10 Service is exposed over a REST API Supports Hardware and Software Keys
- #11 HSM Device, keys are stored on physical device
- #12 It’s just like a dictionary that holds some keys and values
- #15 Initial version supports only RSA keys – Future versions may support other versions – but it’s been over 3 years since it is like that Private portion never leaves the boundary of the vault Sign/Verify (local) Encrypt (local)/Decrypt Wrap local)/Unwrap
- #17 Octet sequence - The term is often used when the term byte might be ambiguous, as the byte has historically been used for storage units of a variety of sizes. The Azure Key Vault service does not provide any semantics for secrets; it merely accepts the data, encrypts and stores it, returning a secret identifier, “id”, that may be used to retrieve the secret at a later time.
- #19 When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata.
- #21 Anyone that has access to config/servers To change a connection string you need to change in all applications that uses it. Similarly with certificates – they get expired and you realize only after the applications go down.
- #25 Access Policies are at the Object type level – Keys, Secrets, Certificates To set policies at the key level will need to create different key vaults
- #28 Azure Portal changes MSI) makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.
- #30 Separate the Vault url and the object identifier part if you want to avoid repeating the URL. Admin can manage the sensitive information separately
- #31 When I was kid when we first learned about logarithm our teacher made us to get a log table, a physical book and then taught us to use that to find the log of numbers. Basically for those who have not used that before you go through a big table of values, first find the right table for your base , find the right cell and then if you want to improve precision you do a set of other steps and finally arrive at the value. It took a few days for us to get used to it. And then we were all, that’s when the teacher introduced calculators. Similarly with programming, made to use a notepad with no intellisense etc and then code, use the command line to build programs. And when we were able to get things working, IDE’s were Often find value when you understand things work and then take the shortcuts or easier routed for the same problem, so then you know how to find your way through when things go wrong.