Skip to content
Carmel Eve By Carmel Eve Software Engineer I
How does Azure Key Vault help me secure my data?

Azure Key Vault is a centralised service for storing sensitive application data.

Vaults

A key vault is a secure container for storing sensitive data. When moving to the cloud, security boundaries between different bits of sensitive data are important to preserve. Having multiple vaults to store this data allows you to logically isolate the sensitive data which you are storing.

Each key vault is a collection of cryptographic keys and cryptographically protected data (known as secrets). The key vault controls access to the keys and secrets.

Keys

A cryptographic key is designed for a single use case. For example you can store the asymmetric keys used for Azure RMS (which is the technology used in Azure Information Protection), or those used for SQL Server Encryption.

Once the keys have been added to the key vault, applications never have direct access to the keys. Instead they are used by envoking cryptographic methods on the key vault. Key vault performs the requested operation within its hardened boundary.

The keys which are added can be either a single instance or they can be versioned (with old versions of the keys being archived).

The keys can be protected in one of two ways:

**Hardware protected keys **

You can choose to protect the keys using hardware security modules (HSMs).

Hardware security modules are a physical devices which are used for protecting and managing keys.

HSM backed keys are locked inside of the boundary of the provided HSM. Any operations that need to happen using those keys are performed inside of those boundaries. So when you ask the key vault to decrypt/sign in with a key this operation will happen inside of the HSM boundary.

You can bring your own HSM, or you can use those provided by Azure Dedicated HSM service.

Software protected keys

Key vault can also generate and protect keys using software encryption algorithms. When using these software protected keys:

  • Keys are isolated from the applications in a container that you manage.
  • They are stored at rest encrypted with HSMs.
  • You can monitor the keys using Key Vault logs.

There are two main differences between hardware and software protected keys, and these are:

  1. The price - it is cheaper to use software protected keys than hardware protected keys.
  2. When the operations are performed, they are done using Azure compute services rather than within HSMs.

You choose the key generation type when you create the keys.

Different uses of key vault

Secrets management

You can store tokens, passwords, certificates, API keys, etc. securely within HSMs. Using the Key Vault you can control access to these secrets using access policies.

Key management

Key Vault provides a cloud based key management solution. Using this you can create and control keys used to encrypt data. You can then integrate other services with key vault and decrypt secrets without knowing the encryption keys.

Certificate management

Using Key Vault we can provision, manage and deploy public and private SSL/TLS certificates.

Managing access

There are two different levels of management:

  • Managing the Key Vault itself.
  • Access to the data contained in the Key Vault.

The creation of the key vault and other actions related to management are separate to storing and retrieving secrets. Access has two components:

  • Authentication - This is needed to identify the caller for operations.
  • Authorisation - Once a caller is identified, authorisation is used to determine what operations the caller can perform.

Azure Active Directory is used to authenticate users and applications which try to access the vault. This authentication is performed by the AAD tenant that the Key Vault is a part of. All users and apps must be known to Active Directory, anonymous access is not permitted.

Management operations are controlled by RBAC. Creation and management are all controlled by RBAC roles. The storing and retrieving of secrets is managed via access policies. These access policies are assigned at certain scopes. You can assign an access policy where a user can e.g, get, list, create, update, decrypt keys. Similarly there are specific copes for managing secrets and certificates.

You can also restrict network access to the key vaults. You can restrict the endpoints to Azure Virtual Networks (AVNs), IP addresses, etc.

Best practices

There are a few best practices for managing sensitive data with Key Vault:

  • You should tightly control what users have access to. Human users having access to sensitive data is always a security risk.
  • Access should only be given at specific scopes.
  • You should store all certificates in the Key Vault.
  • You should ensure that you can recover if the Key Vaults should get deleted/corrupted.

Carmel Eve

Software Engineer I

Carmel Eve

Carmel is a software engineer, LinkedIn Learning instructor and STEM ambassador.

Over the past four years she has been focused on delivering cloud-first solutions to a variety of problems. These have ranged from highly-performant serverless architectures, to web applications, to reporting and insight pipelines and data analytics engines.

In her time at endjin, she has written many blog posts covering a huge range of topics, including deconstructing Rx operators and mental well-being and managing remote working.

Carmel's first LinkedIn Learning course on how to prepare for the Az-204 exam - developing solutions for Microsoft Azure - is due for release next month. And over the last couple of years she has also spoken at NDC, APISpecs and SQLBits. These talks covered a range of topics, from reactive big-data processing to secure Azure architectures.

She is also passionate about diversity and inclusivity in tech. She is a STEM ambassador in her local community and is taking part in a local mentorship scheme. Through this work she hopes to be a part of positive change in the industry.

Carmel won "Apprentice Engineer of the Year" at the Computing Rising Star Awards 2019.