Encrypt and decrypt blobs using Azure Key Vault

0
votes

we used Encrypt and decrypt blobs using Azure Key Vault to protect our files from dev ops person or any unwanted access to files.

i have created the RSA key like below

enter image description here

now i have few doubts

#1 : if i set expiration date to this key,( let's say 2 year from today's date ) will it effect my encryption? -

for example, after 2 year, i will create new RSA key and old files which is already encrypted wont be able to decrypt ? if answer is no - how the version changed will make sure decryption keep working?

#2 : which RSA key size i have to use ? what is best as per industry standards?

#3 : in blob files, have metadata properties added by SDK : "encryptiondata" - what is that, and it include "EncryptedKey" also, what's that use?, seems like SDK is doing behind the process, when we set "BlobEncryptionPolicy"

#4 : when we set KEY to azure key vault - is it private key or public key? will we're able to see it's content ?

let's say someone got to know the RSA key from key vault in plain text..he/she will download encrypted files directly from blob and use that key in separate program and unlock/decrypt it?

Thanks,

1
azureencryptionazure-storage-blobsazure-keyvault

1 Answers

0
votes

#1 In Azure Keyvault the encryption keys don't have an expiry by default. But it is a good practice to set one. And then rotate the keys.

Rotation would involve Generate new key(s), Re-encrypt all data that was encrypted using the old key, using new key(s) Delete old encrypted data and old encrypted key.

Azure supports three models with respect to Data Encryption. 1)Server-side encryption using Service-Managed keys 2)Server-side encryption using customer-managed keys in Azure Key Vault 3) Server-side encryption using customer-managed keys on customer-controlled hardware

You can read more about that here. https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-models and choose the option that you need. If you need to bring your own keys in azure storage - https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview

Rotation process can be automated with Events, event grid, functions. For example A secret near expiry gets triggered when the secret is near its expiry date and that is captured in an event grid and the necessary action is taken via an azure function who's trigger is that event grid mapping for this event. Azure runbook based automation options are also possible.

#2 Bigger keysize is tougher or takes time to crack is what I know and from what I read 2048 or 4096 should be good. But again there are schools of thought on not using standard keysize etc. I guess you can consult a security/cryptography expert for the specifics.

#3 those properties refer to the default encryption at rest done in azure storage. Refer the data encryption models available for azure storage.

#4 In Azure keyvault a Cryptographic key is represented as JWK (JSON Web Key)

for Example a .pfx certificate file that contains a pair of public & private keys. The API call to GetKeyAsync doesn't return private key data.This is why the DecryptAsync wrapper method does use the Key Vault API for decryption.