Are your application secrets safe in config files? How Azure Key Vault can help manage & protect your secrets with Hardware Security Modules (HSM’s)
Managing secrets such as database connection strings, API keys, and passwords has traditionally not been an important factor in software building and reliability. These secrets are usually stored in configuration files, or sometimes even as plain text within the application source code. This configuration file access is restricted in some cases to achieve the security goals. These are some of the important questions that every software developer or software owner should have answers to:
- How do you restrict the access to your secrets at different levels?
- How do you audit who updated, accessed your secrets recently?
- Do your configuration files maintain version history of your secrets?
- Can you share your secrets files easily with applications across different platforms?
The answers to these questions would vary depending on the developers and their organizational guidelines. However, this can help in elaborating the advantages that Azure Key Vaults bring in this area and explain how the secret management ‘overhead’ can be offloaded!
‘Azure Key Vault’ is an Azure service that helps manage secrets and protects data with Hardware Security Modules (HSMs). Key Vault eliminates the requirement of storing the secrets like passwords safely and helps streamline the overall management of secrets.
In addition to secrets management, Azure Key Vault offers Key management, Certificate Management.
Secrets Management
Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets required by applications.
Key Management
Azure Key Vault can also be used create and control the encryption keys that can be used to encrypt your data.
Certificate Management
Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and related resources.
Why is Azure Key Vaults the right choice for secrets management?
Securely store secrets and keys
Key vault can be accessed by the application or user only after proper authentication and authorization via Azure Active Directory. Authorization on the key vault can be controlled through RBAC (role-based access control) and or Access Policy.
Does Microsoft see your secrets? Well, Azure Key Vault is designed so that Microsoft does not see or extract your data!
No new line of code (awesome right?) is required in your application to access secrets: Azure Key Vault Reference
Key Vault references can be directly used as values for
Application Settings, allowing you to keep secrets in Key Vault instead of the site web/app.config files. To leverage the secret management capabilities the Application Settings should be stored into Key Vault.
A Key Vault reference is of the form @Microsoft.KeyVault({referenceString}),
The referenceString is full data-plane URI of a secret in Key Vault, including its version; e.g., https:/vaultURL/secrets/yourSecretName/versionNumber
- Easy Monitoring
- Configure Azure Key Vault to:
- Archive to a storage account.
- Stream to an event hub.
- Send the logs to Azure Monitor logs.
You have control over your logs, and you may secure them by restricting access and managing the log retention too.
Segregate application secrets
Azure Key Vaults allow you to segregate application secrets. Applications may access only the vault that they can access, and they can be limited to only perform specific operations like GET, PUT. You can create an Azure Key Vault per application and restrict the secrets stored in a Key Vault to a specific application and team of developers.
Integrate with other Azure services
Key vault can be easily integrated with other Azure Services using its Access Policies, allowing access to the services for their system or user managed identities.