Introduction to Azure Key Vault

In this article, we will see:

  • What is a Key Vault.
  • How to create a Key Vault.
  • How to manage a Key Vault (Create new Keys, Add Secrets, Manage access policies).

Key Vault

Azure Key Vault is a Microsoft’s Cloud security scheme, where you can securely put your Keys and Secrets. Key Vault uses a software (uses Azure VM) and hardware Security Modules (uses HSM).

Key: It is a cryptographic key. RSA 2048.
Secret: Any sequence of bytes under 25KB. Ex. Connection String. 

Key Vault allows encryption of Keys, which provides an access to control the lifecycle of encryption Keys and provides single place access of the Application Keys.

Customers who use the Cloud for deploying their Applications are more concerned about the security. Azure key vault is a better option for them rather than putting Keys and Secrets in the Applications configuration file.

Azure Key Vault Life Cycle

In the figure, given below, you can see the developer has both Cloud app and Key Vault access.

Developer can authorize Cloud Application by configuring it with Key Vault URL to access Azure Key Vault at run time.

Azure Key Vault Life Cycle

We can also assign a dedicated person to manage Key Vault. The developer only has an access to Cloud Application. The developer can use Key Vault URL, given by Key Vault manager to deploy the Application. Application can access Key Vault at the run time.

Azure Key Vault Life Cycle

Now, we will see, how to create Key Vault, using Azure PowerShell.

Step 1. Open Azure PowerShell or Windows PowerShell ISE.

Azure PowerShell

Step 2. Login to your Azure account.

Azure account

You will get the screen, shown below, after successful login.

login

Step 3. Create a resource group.

Create a resource group

Step 4. Create a Key Vault. Vault name should be unique.

Create Key Vault

You can see new Key Vault has been created with the name ‘AshishKeyVault’. You will need the Vault URL to access Key Vault through the Application.

Step 5. Set Access Policies.

  1. Provide an access to other users.

    Provide access

    Permission to Keys has been changed to encrypt.

    encrypt
    You can grant an access to other personnel with the same command.

  2. Provide access to Cloud Applications.

    First, you need to be registered in Azure Active directory from azure portal.

Select the default directory.

 default directory

Select to develop the Application.

develop application

Fill the required fields.

Fill require fields

Sign in URL can be anything, but it should be unique.

Sign On

Now, go to the Applications configuration section.

applications configuration

Find out the Client Id and Keys. Note down the Client Id. It will be required, while setting the access policies for your Application.

CLIENT ID

Again, go to the Azure PowerShell.

Azure PowerShell

Now, you can see two Access Policy entries. One is mine and other one is my Cloud Application.

two Access Policy entries

Step 6. Add Keys in Key Vault with the different Security Policies.

Depending on the environment, you need to select the security policy. For Production environment, use Hardware Security Modules (HSM) and for other, less sensitive data, you can use Software Security modules. Software Security Module is free, whereas HSM can available at very low cost. Out of 100 banks, 90 use HSM for the security.

  1. Set the Software Security

    First set the permissions to the keys.

    Set Software Security

    Set Software Security

  2. Set Hardware Security.

    Create new Resource group.

    Create new Resource group

    Set to premium SKU vault.

    premium SKU vault

    premium SKU vault

    Set HSM as a destination.

    Set HSM

    Set HSM

    Now, we have created the Keys in Key Vaults.

Step 7. Create a secret to set the Secret values.

Crete secret

The command is given to get the Secret values.

Get Secret values

Get Secret values

In this article, we have covered basic flow of the Key Vault life cycle. We have seen, how to create and manage Key Vault.