locked
Key Vault Security RRS feed

  • Question

  • Hello,

    We're considering using Azure Key Vault, but have many questions regarding it's security, on some aspects.

    1. Firewall - we couldn't find any configuration for allowing access to the Key Vault from our servers only.
      Is there any way to set a firewall for the Key Vault?
    2. When using the Azure SDK for .NET, in order to connect to the Key Vault, we need to provide "Client ID" and "Client Secret" for an authorized account.
      However, storing these credentials in our application, will allow our developers (and anyone with access to the server) to "see" those credentials.
      We read about on option to provide a "Client ID" and a "Certificate", however we couldn't find documentation for this, and couldn't get it to work.
      This page explains how to get the certificate method to work, however it's outdated and doesn't actually work.

    Instead of using the Key Vault for storing keys, we could also use the "Secrets", which is even less documented:

    1. How often are keys rotates when using "Secrets"? We can't manually rotate those, as we don't have any access to the keys. Unless we manually move all "Secrets" to a different key store.
    2. We couldn't get to create a "Secret", as we receive the error: 'Operation "set" is not allowed'.
      Even when setting permissions to "all", the same error is returned.

    Thanks,
    Effy

    Tuesday, June 30, 2015 1:57 PM

Answers

  • Hi Effy,

    1. Firewall Configuration is currently not supported.
    2. You can use a certificate to authenticate with AAD. https://azure.microsoft.com/en-us/documentation/templates/windows-vm-push-certificate/ This is an example to deploy a cert into a VM using a template. https://www.microsoft.com/en-us/download/details.aspx?id=45343 This samples package contains an example of using Cert based authentication (Look under the samples/SampleAzureWebService directory)
    3. Key Vault currently does not support automatically rotating keys.
    4. Secrets and Keys has separate permissions. To be able to operate on Secrets, you need to use: Set-AzureKeyVaultAccessPolicy –VaultName <vaultname> -ResourceGroupName <rgname> -ServicePrincipalName <serviceprincipal> -PermissionsToSecrets all

    Regards,

    Shirisha Paderu

    Thursday, July 2, 2015 8:38 AM
  • To add on to Shirisha, Also take a look at these articles that I had blogged on and might help in the getting the certificate authentication working and also on different aspects of the key vault.


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    Friday, July 3, 2015 5:53 PM

All replies

  • Hi Effy,

    1. Firewall Configuration is currently not supported.
    2. You can use a certificate to authenticate with AAD. https://azure.microsoft.com/en-us/documentation/templates/windows-vm-push-certificate/ This is an example to deploy a cert into a VM using a template. https://www.microsoft.com/en-us/download/details.aspx?id=45343 This samples package contains an example of using Cert based authentication (Look under the samples/SampleAzureWebService directory)
    3. Key Vault currently does not support automatically rotating keys.
    4. Secrets and Keys has separate permissions. To be able to operate on Secrets, you need to use: Set-AzureKeyVaultAccessPolicy –VaultName <vaultname> -ResourceGroupName <rgname> -ServicePrincipalName <serviceprincipal> -PermissionsToSecrets all

    Regards,

    Shirisha Paderu

    Thursday, July 2, 2015 8:38 AM
  • To add on to Shirisha, Also take a look at these articles that I had blogged on and might help in the getting the certificate authentication working and also on different aspects of the key vault.


    Please mark posts as answers/helpful if it answers your query. This would be helpful for others facing the same kind of problem

    Friday, July 3, 2015 5:53 PM