Step-by-Step Guide: Azure Key Vault

People use safes, security boxes to protect their valuable things. In digital world “Data” is the most valuable thing. Passwords, Connection Strings, Secrets, Data encryption/decryption keys protects access to different data sets. Whoever have access to those will also have access to data behind it (of cause they need to know how to use those ?). So how we can protect those valuable info? People use different methods. Some use third party software installed on PC to do it. If its large environment some use web application so multiple people have access to it. different vendors use different methods to protect these types of valuable data. Microsoft Azure Key vault is a service which we can use to protect Passwords, Connection Strings, Secrets, Data encryption/decryption keys uses by cloud applications and services. Keys stored in vaults is protected by hardware security modules (HSMs). It is also possible to import or generate keys using HSMs. Any keys process that way will be done according to FIPS 140-2 Level 2 guidelines. You can find about FIPS 140-2 Level 2 using https://www.microsoft.com/en-us/trustcenter/Compliance/FIPS

Benefits of using Key Vault

• Keys saved in vault will be served via URLs. Developers, engineers do not need worry about securing keys. Application or service do not see the keys as vault service process behalf of them.  

• Customers do not have to disclosure their keys to vendors or service providers. They can manage their own keys and allow to access those keys via urls in vendor or service provider applications. Vendor or service providers will not see the keys. 

• By design Microsoft can’t extract or see customer keys. So, its further protected in vendor level too. 

• HSMs are FIPS 140-2 Level 2 validated. So, any industry required to comply with these standards are protected by default. 

• Key usage details are logged. So, you know what’s happening with your keys.  

An Azure Administrator is allowed to do following using Azure Key Vault,

• Create or import a key or secret

• Revoke or delete a key or secret

• Authorize users or applications to access the key vault, which allow them to manage or use its own keys and secrets

• Configure key usage 

• Record key usage

More info about Azure Key vault can find under https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview 

Let’s go ahead and see how we can setup and use Azure Key Vault service. 

Create Azure Key Vault Instance  

 

1) Log in to Azure Portal as global admin.

2) Click on Cloud Shell icon in top right-hand corner. (You also can setup this using portal, Azure CLI or locally installed Azure PowerShell. In this demo I am using Azure PowerShell directly from portal)  

 

 

3) Then select PowerShell for the command type. 

4) Then type Get-AzureRmResourceGroup to list down resource groups. So, we can select the resource group to associate the new key vault. 

 

 

5) If you wish to create key vault under new resource group, you can do it using 

 

New-AzureRmResourceGroup -Name RGName -Location WestUS

 

In above command RGName specify the resource group name and WestUS define the region. You can find the available locations using Get-AzureRmLocation

 

6) Now it’s time to create the vault. We can create it using, 

 

New-AzureRmKeyVault -VaultName 'Rebel-KVault1' -ResourceGroupName 'therebeladmin' -Location 'North Central US'

 

In above VaultName defines the Key Vault name. ResourceGroupName defines the resource group it is associated with. Location defines the location of resource. 

 

 

7) We can view properties of existing key vault using,

 

Get-AzureRmKeyVault "Rebel-KVault1"

 

In above Rebel-KVault1 is the key vault name. 

 

 

Vault URI shows the URL which can use to access the key vault by applications and services. 

 

8) Next step is to create Access Policy for the key vault. Using access policy we can define who have control over key vault, what they can do inside key vault and also what a application or service can do with it. 

 

Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -UserPrincipalName 'user1@rebeladmlive.onmicrosoft.com' -PermissionsToKeys create,delete,list -PermissionsToSecrets set,list,delete -PassThru

 

In above command, user1@rebeladmlive.onmicrosoft.com can create,delete,list keys in Rebel-KVault1. He also can set,list,delete secrets under same vault. 

 

 

We also can set permissions for application to retrieve secrets or keys. 

 

Set-AzureRmKeyVaultAccessPolicy -VaultName 'Rebel-KVault1' -ServicePrincipalName 'http://crm.rebeladmin.com' -PermissionsToSecrets Get

 

In above, service running on http://crm.rebeladmin.com will have permissions to retrieve secrets from the vault. 

 

Key Management

 

Now we have a vault up and running. Next step is to see how to manage valued data using it. In this demo I am going to do this using Azure Portal. Same tasks still can be done using Azure CLI or Azure PowerShell. 

 

1) To access Key vault feature in portal, go to Azure Portal > All Services > Key vaults

 

 

2) Then click on the relevant key vault from the list. In my demo it is Rebel-KVault1 which we create on previous section. 

 

 

3) Then it will load new window. Let’s go ahead and add a secret. To do that click on the Secrets option. 

 

 

4) Then click on Generate/Import

 

 

5) Then in the form fill the relevant info. Value defines the secret. After put relevant info click on create. 

 

 

6) If you need to delete a secret, click on the relevant secret from the list.

 

 

7) Then click on Delete. 

 

 

8) We also can generate/import certificates for use. In order to do so click on Certificates from the list.

 

 

9) Then click on Generate/Import 

 

 

10) From the form, using Generate option we can create self-signed certificate. 

 

 

11) Using Import option, we can import certificates in .PFX format. In the form, Upload Certificate File is the path for the .PFX file. You can use browse option to define the path. We can provide the PFX password under Password field. Once form is done, click on Create. 

 

 

 

 

Hope now you have understanding about Azure key vault and how to use it. This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.