Azure Key-vault Encryption

1
votes

We would like to make use of Azure Key vault for storing our sensitive key in azure key vault and make use of stored sensitive key for encrypting our string/plain text data before sending to service. Again Service will interact with Azure Key vault, retrieve sensitive key for decrypting encrypted string send by client. can any one throw some light on how to make use of azure key vault for above scenario.

Azure Key vault has built-in encryption method for encrypt the data, does it mean client has to sent data to azure key vault for encryption. Is it correct. If yes, is there roll over for every 30 minutes changes in Key used for encryption. sorry for asking very noob question

1
azureazure-keyvault
I am not sure of the 30 minute encrption key rollover you are talking about. The client application needs an access token to access the keyvault api . Then the api will return the requested secret/ symmetric key which you can use wherever applicable.Aravind

1 Answers

2
votes

Regarding roll over, at this time Key Vault does not do auto-rollover of keys. The key vault owner must explicitly roll keys. You do this via the Add-AzureKeyVaultKey cmdlet or REST API, passing in the same key name as earlier. A new version is added to the key.

(More in-depth on how Azure Key vault works here: http://tomkerkhove.ghost.io/2015/07/22/securing-sensitive-data-with-azure-key-vault/)