Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Key Management in Windows Azure

I'm a bit confused about how to store keys (for data encryption) in Windows Azure.

According to the following two links (#1, #2), it is recommended to store the keys/key library in the Windows Azure Storage:

Storing your own key library within the Windows Azure Storage services is a good way to persist some secret information since you can rely on this data being secure in the multi-tenant environment and secured by your own storage keys.

But the "Security Best Practices For Developing Windows Azure Applications" (#3) recommends NOT to store any key related material in Windows Azure:

Also, developers should not upload the key or any keying material to Windows Azure Storage, regardless of how careful they are about hiding it. If any computer or storage services were compromised, it could lead to encryption keys being exposed.

What is the best approach to store keys for encryption in Windows Azure?

like image 831
Robar Avatar asked Jul 11 '12 08:07

Robar


People also ask

Which Microsoft Azure offering can be used for key management?

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

What are the 4 things Azure key vault can do?

Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal.

What are the two types of keys available in encryption in Azure?

JSON Web Key (JWK) JSON Web Encryption (JWE)

Which of the Azure service provides cryptographic key management?

Azure Dedicated HSM is an Azure service that provides cryptographic key storage in Azure.

What is key management system (KMS) and Microsoft Azure key vault?

Key protection and management are offered by Amazon Web Services Key Management Services (AWS KMS) and Microsoft Azure Key Vault. In today’s blog, Encryption Consulting will summarize Amazon Web Services (AWS) Key Management System (KMS) and Microsoft Azure Key Vault.

How do I manage access to my Azure key vault secrets?

In Azure Key Vault, you can manage access to your application secrets by setting permissions at any level except _. Is This Question Helpful? Your company hosts a web application that uses Azure SQL Database to store data.

How do I monitor key use in azure?

Monitor and audit your key use with Azure logging—pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threat detection. Use Key Vault and you don’t need to provision, configure, patch and maintain HSMs and key management software.

Where can I store my keys in azure?

Customer-managed keys can be stored on-premises or, more commonly, in a cloud key management service. Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, Azure Managed HSM, Dedicated HSM, and Payments HSM.


2 Answers

You'll see from my comment in that first link that I agree with your concerns. :)

Azure has no secure way of storing keys other than it's own Certificate Storage. Here is an article on using this method:

Field Note: Using Certificate-Based Encryption in Windows Azure Applications

You'll notice I've also commented on that article's shortcomings too, linking to this question:

Read azure ServiceConfiguration file's certificate section using c#

An example of using Azure's built in certificate storage to encrypt AES keys (avoiding the RSA restrictions on encrypted data length, while keeping the AES key secure) can be found in this project:

Codeplex: Azure Table Encryption via Attribute

The SymmetricKeyHelper class in the EncryptDecrypt project is of particular interest.

Kudos to @breischl for mentioning it, and for his contributions to the project.

like image 114
Stu Pegg Avatar answered Oct 04 '22 23:10

Stu Pegg


The Azure Key vault service that has been released recently might be a perfect fit for the problem. This has been introduced so that keys can be managed in a central place and access can be easily controlled. It also supports HSM-backed service making it very secure.

Here is a artice on Getting Started with Azure Key Vault

like image 39
Rahul P Nath Avatar answered Oct 04 '22 23:10

Rahul P Nath