Why is Azure Key Vault secure?

6
votes

Why or how is Azure Key Vault secure? I need to store key URI and Client Id and Client Secret on the server, so if anyone grants access to the server on which application is hosted, he'll be able to access keys and secrets stored in the Key Vault. Which means it is just as secure to store them on the server, right?

2
.netazureazure-keyvault
Possible duplicate: stackoverflow.com/questions/39445378/… - Maria Ines Parnisari

2 Answers

5
votes

You are misunderstanding the Key Vault. Key vault is secure in a sense that nothing gets transmitted over the public internet, all the communications with Key Vault and Azure Resources go through the Azure Backbone, so they are secure by default (well, if you believe Azure is secure).
Also, with Key Vault you can allow for deploying certain certificates without having the ability to look at them (or copy them). Basically, it supports RBAC.

7
votes

This is late for OP, but I hope it can help others to solve the chicken egg problem while using Azure Key Vault.

With the context of running applications on Azure VM, instead of using client_secret to authenticate, you can use client certificate authentication as explained in this documentation: Authenticate with a Certificate instead of a Client Secret.

Key Vault Client Certificate Authentication Image

In the picture above:

  • Application is authenticating to AAD by proving that it has the private key of the certificate (which is basically stored in CNG if you are using Windows).
  • Application get back the access_token and then use it to access the Key Vault.

The developer does not need to know the private key value of the certificate in order for their app to be successfully authenticated. Instead, they only need to know the location of the imported pfx (a container for private key and its certificate) in the Certificate Store.

At least on Windows, you as secret administrator can convert the private key and the certificate into pfx format which is password protected, and then deploy it into the Windows Certificate store. This way no one could know the private key unless they know the password of the pfx file.

The other approach specifics for Azure Compute, is to use Azure Managed Service Identity. Using Azure MSI, Azure will automatically assign your resources such as VM with an identity / Service Principal, and you can fire requests at a specific endpoint that are only accessible by your resource to get the access_token. But be wary that Azure MSI are still under public preview, so please review the known issues before using it.

Azure Managed Service Identity Image

The picture above explain how Azure Resource Manager assign a Service Principal identity to your VM.

  • When you enable MSI in a VM, Azure will create a service principal in your AAD.
  • Azure will then deploy a new MSI VM extension to your VM. This provides an endpoint at http://localhost:50432/oauth2/token to be used to get the access_token for the service principal.
  • You can then use the access_token to access the resources such as Key Vault which authorize the service principal access.