Azure Key Vault Default Encryption?

1
votes

I am reviewing requirements for Azure KeyVault and I would like to store service accounts (username/password) in Azure KeyVault. Is it a best practice to encrypt the secret before storing in Azure KeyVault? Does Azure KeyVault encrypt the secret automatically? (both disk and logical).

1
azureazure-keyvault
is this a question or are you answering yourself?Sajeetharan
@REI take a look, if you have any more query feel free to share in comment. Thanks and happy coding!Md Farid Uddin Kiron
@REI If the answer helpful you could mark it as answer to help others. Thanks and happy coding!Md Farid Uddin Kiron

1 Answers

1
votes

I think you would like to store your credential like API-Keys, Certificate, Passwords or anything related to sensitive information ensuring more security right?

Well, As you may know cloud applications and services use cryptographic keys and secrets to help keep information secure. For highly sensitive data, you should consider additional layers of protection for data. Encrypting data using a separate protection key prior to storage in Key Vault is worthwhile for example.

Azure Key Vault:

Azure Key Vault provides safeguards for following keys and secrets.for example, When you use Key Vault, you can encrypt authentication keys, storage account keys, data encryption keys, .pfx files, and passwords by using keys that are protected by hardware security modules (HSMs).

Key Vault reduce following problems:

  1. Secret management
  2. Key management
  3. Certificate management
  4. Store secrets backed by HSMs
  5. Any Third party sensitive credentials

You could check for more details here

Access Your Key Vaults More securely

You may need to access your key vault more securely because of its data sensitivity learn more about Secure access to a key vault

How secret and Certificate collaborate with azure key vault

Also for key vault secret and certificate you can check here

Azure key vault quick start

Setting up and retrieve a secret from Azure Key Vault using the Azure portal you can quickly start from Microsoft official document for azure key vault

Best Practices:

As you know azure key vault preserves data with encrypted mode so its not necessary to encrypt again but you can for double. Here is some best practice while using azure key-vaults

  1. Lock down access to your subscription, resource group and Key Vaults (RBAC)
  2. Create Access policies for every vault
  3. Use least privilege access principal to grant access
  4. Turn on Firewall and VNET Service Endpoints

For more details you could refer this docs

Note: Now a days azure key-vaults become more popular among the big organizations and towards the developer as well to manage large scale of security key , certification and many more. For more details I would recommend to take a look official document here

If you have any more query feel free to share. Thanks and happy coding!