Skip to content
  1. We help small teams achieve big things.
  2. Our Technical Fellow just became a Microsoft MVP!
  3. We run the Azure Weekly newsletter.
  4. We just won 2 awards.
  5. We just published Programming C# 8.0 book.
  6. We run the Power BI Weekly newsletter.
  7. Our NDC London 2020 talk is now available online!
  8. We are school STEM ambassadors.
Carmel Eve By Carmel Eve Software Engineer I
How does Azure Key Vault help me secure my data?

Azure Key Vault is a centralised service for storing sensitive application data.

Vaults

A key vault is a secure container for storing sensitive data. When moving to the cloud, security boundaries between different bits of sensitive data are important to preserve. Having multiple vaults to store this data allows you to logically isolate the sensitive data which you are storing.

Each key vault is a collection of cryptographic keys and cryptographically protected data (known as secrets). The key vault controls access to the keys and secrets.

Keys

A cryptographic key is designed for a single use case. For example you can store the asymmetric keys used for Azure RMS (which is the technology used in Azure Information Protection), or those used for SQL Server Encryption.

Once the keys have been added to the key vault, applications never have direct access to the keys. Instead they are used by envoking cryptographic methods on the key vault. Key vault performs the requested operation within its hardened boundary.

The keys which are added can be either a single instance or they can be versioned (with old versions of the keys being archived).

The keys can be protected in one of two ways:

**Hardware protected keys **

You can choose to protect the keys using hardware security modules (HSMs).

Hardware security modules are a physical devices which are used for protecting and managing keys.

HSM backed keys are locked inside of the boundary of the provided HSM. Any operations that need to happen using those keys are performed inside of those boundaries. So when you ask the key vault to decrypt/sign in with a key this operation will happen inside of the HSM boundary.

You can bring your own HSM, or you can use those provided by Azure Dedicated HSM service.

Software protected keys

Key vault can also generate and protect keys using software encryption algorithms. When using these software protected keys:

  • Keys are isolated from the applications in a container that you manage.
  • They are stored at rest encrypted with HSMs.
  • You can monitor the keys using Key Vault logs.

There are two main differences between hardware and software protected keys, and these are:

  1. The price - it is cheaper to use software protected keys than hardware protected keys.
  2. When the operations are performed, they are done using Azure compute services rather than within HSMs.

You choose the key generation type when you create the keys.

Different uses of key vault

Secrets management

You can store tokens, passwords, certificates, API keys, etc. securely within HSMs. Using the Key Vault you can control access to these secrets using access policies.

Key management

Key Vault provides a cloud based key management solution. Using this you can create and control keys used to encrypt data. You can then integrate other services with key vault and decrypt secrets without knowing the encryption keys.

Certificate management

Using Key Vault we can provision, manage and deploy public and private SSL/TLS certificates.

Managing access

There are two different levels of management:

  • Managing the Key Vault itself.
  • Access to the data contained in the Key Vault.

The creation of the key vault and other actions related to management are separate to storing and retrieving secrets. Access has two components:

  • Authentication - This is needed to identify the caller for operations.
  • Authorisation - Once a caller is identified, authorisation is used to determine what operations the caller can perform.

Azure Active Directory is used to authenticate users and applications which try to access the vault. This authentication is performed by the AAD tenant that the Key Vault is a part of. All users and apps must be known to Active Directory, anonymous access is not permitted.

Management operations are controlled by RBAC. Creation and management are all controlled by RBAC roles. The storing and retrieving of secrets is managed via access policies. These access policies are assigned at certain scopes. You can assign an access policy where a user can e.g, get, list, create, update, decrypt keys. Similarly there are specific copes for managing secrets and certificates.

You can also restrict network access to the key vaults. You can restrict the endpoints to Azure Virtual Networks (AVNs), IP addresses, etc.

Best practices

There are a few best practices for managing sensitive data with Key Vault:

  • You should tightly control what users have access to. Human users having access to sensitive data is always a security risk.
  • Access should only be given at specific scopes.
  • You should store all certificates in the Key Vault.
  • You should ensure that you can recover if the Key Vaults should get deleted/corrupted.

Carmel Eve

Software Engineer I

Carmel Eve

Carmel has recently graduated from our apprenticeship scheme.

Over the past four years she has been focused on delivering cloud-first solutions to a variety of problems. These have ranged from highly-performant serverless architectures, to web applications, to reporting and insight pipelines and data analytics engines. She has been involved in every aspect of the solutions built, from deployment, to data structures, to analysis, querying and UI, as well as non-functional concerns such as security and performance.

Throughout her apprenticeship, she has written many blogs, covering a huge range of topics. She has also given multiple talks focused on serverless architectures. The talks highlighted the benefits of a serverless approach, and delved into how to optimise the solutions in terms of performance and cost.

She is also passionate about diversity and inclusivity in tech. Last year, she became a STEM ambassador in her local community and is taking part in a local mentorship scheme. Through this work she hopes to be a part of positive change in the industry.

Carmel won "Apprentice Engineer of the Year" at the Computing Rising Star Awards 2019.