" Windows Azure Platform series of articles directory "
Why use Azure Key Vault?
We assume that a scene on Microsoft's cloud Azure, the Windows VM inside a .NET application, the .NET application through ADO.NET connection string, linked to the back-end SQL VM.
SQL VM if Windows VM been hacked, the hacker in view of SQL ADO.NET connection string, which can be saved by the user names and passwords, direct access to the backend.
Such SQL VM also been hacked.
If we carry on encryption and access control for SQL connection string, we can protect the SQL VM inside the database
What is the Key Vault (secret key vault)?
Azure Key Vault can manage:
1. Password Management
Azure Key Vault can be used to securely store tokens, passwords, certificates, API keys, and other confidential and strictly control access
2. Certificate Management
Azure Key Vault can be used to manage and deploy SSL / TLS certificates that can be used with other Azure services such as CDN use HTTPS certificate
Under what scenario you want to use Azure Key Vault
1. Centralized management of applications secrets
In the Azure Key Vault in centralized storage applications secrets you can control its distribution. Key Vault can greatly reduce the likelihood of accidental disclosure of confidential. With Key Vault, application developers no longer need to be in the application security information storage. No need to secure the information stored in the application, and therefore do not need this information as part of the code. For example, if an application needs to connect to the database, you can safely store the connection string in the Key Vault, rather than stored in the application code.
Applications can use URI secure access to the information they need. These URI Allows application to retrieve specific versions of secrets. So you do not need to write custom code to protect any confidential information stored in the Key Vault.
2. securely store secret key and
secret key used by the Azure and industry-standard algorithms, key length and hardware security module (HSM) to protect. HSM is validated using Federal Information Processing Standard (FIPS) 140-2 Level 2.
Access key vault requires proper authentication and authorization, otherwise the caller (user or application) can not be accessed. Authentication is used to determine the identity of the caller, and then decided to authorize the operation of the caller can perform.
Authentication is done by Azure Active Directory. Authorized through role-based access control (RBAC) or Key Vault access policies to complete. When the vault is managed, the use of RBAC; attempts to access data stored in the storage library, using the key vault access policy.
HSM can be software or hardware protection of the Azure Key Vault. If necessary to improve the reliability, or may be introduced to generate keys never exceed the boundaries HSM hardware security module (HSM) in. Microsoft uses nCipher hardware security module. You can use the tool to nCipher HSM key to move from Azure Key Vault.
Finally, it should be pointed out that, according to the Azure Key Vault design, Microsoft can not view or extract data.
3. monitor access and usage
After creating multiple Key Vault, users need ways to monitor key and confidential access and time. You can monitor activity by enabling logging vault. Azure Key Vault can be configured to do the following:
- Archived to a storage account.
- Streaming to the event center.
- Send logs to Azure Monitor log.
Can control their own logs, you can restrict access to ensure the security log, you can also delete the log no longer needed.
4. simplify application management secrets
When you store your valuable data, you must perform a number of steps. Safety information must be protected, it must follow a life cycle must be highly available. Azure Key Vault can simplify the process to meet these requirements by the following operations:
- Knowledge without internal hardware security module
- After receiving notice soon be able to scale up to meet peak demand use organizations.
- Key Vault copy the contents in a certain area, and copy it to the secondary area. Data replication to ensure high availability, the administrator can operate without triggering failover.
- Providing standard through the portal, Azure CLI and PowerShell Azure management options.
- For certificates purchased from a public CA to automatically perform certain tasks, such as registration and renewal.
In addition, it can also isolate applications confidential by Azure Key Vault. Applications can only access the vault they have access to, and can only perform certain operations. You can create a Azure Key Vault for each application, confidential specific applications and access data stored in the developer community in Key Vault only.
The Azure integrated with other services
as Azure in secure storage, Key Vault has been used to simplify the following scheme:
- Azure disk encryption
- Always encryption server and SQL Azure SQL Database
- Azure application services.
Key Vault itself can be integrated with the storage account, Event Center and Log Analytics.