In this article, we will see:
- What is a Key Vault.
- How to create a Key Vault.
- How to manage a Key Vault (Create new Keys, Add Secrets, Manage access policies).
Key Vault
Azure Key Vault is a Microsoft’s Cloud security scheme, where you can securely put your Keys and Secrets. Key Vault uses a software (uses Azure VM) and hardware Security Modules (uses HSM).
Key: It is a cryptographic key. RSA 2048.
Secret: Any sequence of bytes under 25KB. Ex. Connection String.
Key Vault allows encryption of Keys, which provides an access to control the lifecycle of encryption Keys and provides single place access of the Application Keys.
Customers who use the Cloud for deploying their Applications are more concerned about the security. Azure key vault is a better option for them rather than putting Keys and Secrets in the Applications configuration file.
Azure Key Vault Life Cycle
In the figure, given below, you can see the developer has both Cloud app and Key Vault access.
Developer can authorize Cloud Application by configuring it with Key Vault URL to access Azure Key Vault at run time.
We can also assign a dedicated person to manage Key Vault. The developer only has an access to Cloud Application. The developer can use Key Vault URL, given by Key Vault manager to deploy the Application. Application can access Key Vault at the run time.
Now, we will see, how to create Key Vault, using Azure PowerShell.
Step 1. Open Azure PowerShell or Windows PowerShell ISE.
Step 2. Login to your Azure account.
You will get the screen, shown below, after successful login.
Step 3. Create a resource group.
Step 4. Create a Key Vault. Vault name should be unique.
You can see new Key Vault has been created with the name ‘AshishKeyVault’. You will need the Vault URL to access Key Vault through the Application.
Step 5. Set Access Policies.
- Provide an access to other users.
Permission to Keys has been changed to encrypt.
You can grant an access to other personnel with the same command.
- Provide access to Cloud Applications.
First, you need to be registered in Azure Active directory from azure portal.
Select the default directory.
Select to develop the Application.
Fill the required fields.
Sign in URL can be anything, but it should be unique.
Now, go to the Applications configuration section.
Find out the Client Id and Keys. Note down the Client Id. It will be required, while setting the access policies for your Application.
Again, go to the Azure PowerShell.
Now, you can see two Access Policy entries. One is mine and other one is my Cloud Application.
Step 6. Add Keys in Key Vault with the different Security Policies.
Depending on the environment, you need to select the security policy. For Production environment, use Hardware Security Modules (HSM) and for other, less sensitive data, you can use Software Security modules. Software Security Module is free, whereas HSM can available at very low cost. Out of 100 banks, 90 use HSM for the security.
- Set the Software Security
First set the permissions to the keys.
- Set Hardware Security.
Create new Resource group.
Set to premium SKU vault.
Set HSM as a destination.
Now, we have created the Keys in Key Vaults.
Step 7. Create a secret to set the Secret values.
The command is given to get the Secret values.
In this article, we have covered basic flow of the Key Vault life cycle. We have seen, how to create and manage Key Vault.