Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How is a keyvault more secure than standard storage?

I am trying to understand the security benefits that Azure Key Vault would offer (or equally AWS KMS)

I understand the benefits of key management, of being able to easily rotate, change, audit key access.

What perplexes me a little though is how it is more secure.

As I understand it, if I develop a web application and want to protect my connection string (for instance) I can create a key pair in Key Vault and save it there. I then create an application in AAD, and use the client ID/Secret/URI to authenticate to Key Vault to obtain my connection string. There is also the possible benefit of restricting that further by Resource Group.

However this now means I have a client ID/Secret/URI to protect.

How is this better?

P.S. I'm not a developer! I just like to poke around in these things to understand them from a devops point of view. So if you could aim your answer at the typical clueless ops guy, that would be appreciated ;)

like image 320
Michael B Avatar asked Sep 30 '15 23:09

Michael B


People also ask

How secure is Azure Keyvault?

Key vault is secure in a sense that nothing gets transmitted over the public internet, all the communications with Key Vault and Azure Resources go through the Azure Backbone, so they are secure by default (well, if you believe Azure is secure).

Why Azure key vault is more secure?

Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked. When using Key Vault, application developers no longer need to store security information in their application.

What is the use of Keyvault?

Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal. In this quickstart, you create a key vault, then use it to store a secret.


1 Answers

Azure Key Vault uses Hardware Security Modules (HSMs) by Thales. Special about HSMs is that they do not give you keys. You create or import a key into an HSM. Later on you give data to the HSM and the HSM is executing cryptographic operations on that data. E.g. encrypting, decrypting, hashing ect. By the way, those hardware devices are really expensive. With Azure Key Vault you are able to use this protection for a small price. That's one benefit using Azure Key Vault.

To your question why this is more secure: Keys are more worth than a single VM that has been compromised. If one of your VMs have been compromised and you would have your encryption keys on that VM, the attacker would have your keys.

If you have only your client ID and secret on your VM, then the attacker has only those credentials but not your keys. And as you know even with those credentials the attacker is not able to get your keys from the HSM. That means the attacker would be able to execute cryptographic operations for a certain amount of time with your credentials. The moment you recognize the attack you invalidate the credentials.

So the difference in a nutshell:

Without HSM: the attacker has your keys and can use those keys as long as they want (and they are valid).

With HSM: the attacker does not have your keys and is only able to execute cryptographic operations with your credentials as long they are valid.

like image 168
Peter Kirchner Avatar answered Nov 16 '22 00:11

Peter Kirchner