Purpose of going for an Azure Key Vault storage

4
votes

I'm new to azure cloud services platform. Today i came across the Key-Vault storage service provided by azure. It has the ability to store application level keys and settings. It is safe and secure with enhanced data protection.

But what i'm not clearly getting is to connect to Key-Vault i need the artifacts of my Key-Vault stored in my application config.

If that is the case when someone eves-drop on the key values will he not connect to my Key-Vault and read all my keys.

If I should encrypt my local Key-Vault settings then I can encrypt the keys which i store in Vault as well right?. What is the purpose of Key-Vault?.

3
securityazureencryptionprotectionazure-keyvault

3 Answers

5
votes

Besides being able to authenticate with client certificates which can be stored in secure stores as opposed to plain passwords, the other point is that Keyvault works as a cryptography oracle. It stores your keys and never releases them. When you want to perform cryptographic operations (encrypt, decrypt, etc.) you send your data to Keyvault, as opposed to getting the key from it. This ensures that even if an attacker (or even an admin) has temporary access to your whole infrastructure, he only has access to your data for a limited time and can never get your actual keys. Another benefit is that any access can be properly audited.

2
votes

Basically what are you looking for is a way to connect to azure key vault. For an application to use the key vault it must authenticate using a token from the Azure Active Directory (AD)

There are two ways available when you are using Azure AD.

  1. Using ClientId and secret
  2. Using ClientId and certificate

For your requirement i would suggest to go with 2 approach.

See this article: Authenticating a client application with Azure Key Vault.

0
votes

You can use Azure Managed Identities to access Key Vault, removing the requirement of storing any keys locally. You assign a managed identity to an azure resource in the portal, it is then able to access key vault (or other resources) behind the scenes without ever exposing any keys. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet