- Azure Key Vault is a cloud service that works as a secure secrets store.
- You can use it to store passwords, connection strings, and other sensitive pieces of information.
- Key Vault allows you to create multiple secure containers, called vaults.
- These vaults are backed by hardware security modules (HSMs).
- Vaults help reduce the chances of accidental loss of security information by centralizing the storage of application secrets.
- Key Vaults also control and log the access to anything stored in them.
- You can do this by enabling logging for Key Vault.
- You can configure Azure Key Vault to:
- Archive to a storage account.
- Stream to an event hub.
- Send the logs to Log Analytics.
- Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates.
- Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution.
- This greatly reduces the chances that secrets may be accidentally leaked.
- Applications can securely access the information by using URIs that allow them to retrieve specific versions of a secret.
- This happens without having to write custom code to protect any of the secret information.
- Key Vault is not intended to be used as a store for user passwords.
- Keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs).
- The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated.
- Authentication is done via ADD.
- Authorization may be done via role-based access control (RBAC) or Key Vault access policy.
- RBAC is used when dealing with the management of the vaults and key vault access policy is used when attempting to access data stored in a vault.
- Azure Key Vaults may be either software- or hardware-HSM protected.
- For situations where you require added assurance you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary.
- Microsoft uses Thales hardware security modules.
- You can use Thales tools to move a key from your HSM to Azure Key Vault.
- Azure Key Vault simplifies security implementations by:
- Removing the need for in-house knowledge of HSMs.
- Scaling up on short notice to meet your organization’s usage spikes.
- Replicating the contents of your Key Vault within a region and to a secondary region.
- Automating certain tasks on certificates that you purchase from Public CAs, such as enroll and renew.
- Azure Key Vaults allow to segregate application secrets.
- Applications may access only the vault that they are allowed to access, and they be limited to only perform specific operations.
- You can create an Azure Key Vault per application and restrict the secrets stored in a Key Vault to a specific application and team of developers.
public class Program
{
private static string KeyVaultEndpoint => "https://<YourKeyVaultName>.vault.azure.net";
public static void Main(string[] args) => BuildWebHost(args).Run();
public static IWebHost BuildWebHost(string[] args) => WebHost.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((ctx, builder) =>
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
builder.AddAzureKeyVault(KeyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());
}
).UseStartup<Startup>()
.Build();
}