I'm a bit confused about how to store keys (for data encryption) in Windows Azure.
According to the following two links (#1, #2), it is recommended to store the keys/key library in the Windows Azure Storage:
Storing your own key library within the Windows Azure Storage services is a good way to persist some secret information since you can rely on this data being secure in the multi-tenant environment and secured by your own storage keys.
But the "Security Best Practices For Developing Windows Azure Applications" (#3) recommends NOT to store any key related material in Windows Azure:
Also, developers should not upload the key or any keying material to Windows Azure Storage, regardless of how careful they are about hiding it. If any computer or storage services were compromised, it could lead to encryption keys being exposed.
What is the best approach to store keys for encryption in Windows Azure?
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal.
JSON Web Key (JWK) JSON Web Encryption (JWE)
Azure Dedicated HSM is an Azure service that provides cryptographic key storage in Azure.
Key protection and management are offered by Amazon Web Services Key Management Services (AWS KMS) and Microsoft Azure Key Vault. In today’s blog, Encryption Consulting will summarize Amazon Web Services (AWS) Key Management System (KMS) and Microsoft Azure Key Vault.
In Azure Key Vault, you can manage access to your application secrets by setting permissions at any level except _. Is This Question Helpful? Your company hosts a web application that uses Azure SQL Database to store data.
Monitor and audit your key use with Azure logging—pipe logs into Azure HDInsight or your security information and event management (SIEM) solution for more analysis and threat detection. Use Key Vault and you don’t need to provision, configure, patch and maintain HSMs and key management software.
Customer-managed keys can be stored on-premises or, more commonly, in a cloud key management service. Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, Azure Managed HSM, Dedicated HSM, and Payments HSM.
You'll see from my comment in that first link that I agree with your concerns. :)
Azure has no secure way of storing keys other than it's own Certificate Storage. Here is an article on using this method:
Field Note: Using Certificate-Based Encryption in Windows Azure Applications
You'll notice I've also commented on that article's shortcomings too, linking to this question:
Read azure ServiceConfiguration file's certificate section using c#
An example of using Azure's built in certificate storage to encrypt AES keys (avoiding the RSA restrictions on encrypted data length, while keeping the AES key secure) can be found in this project:
Codeplex: Azure Table Encryption via Attribute
The SymmetricKeyHelper
class in the EncryptDecrypt project is of particular interest.
Kudos to @breischl for mentioning it, and for his contributions to the project.
The Azure Key vault service that has been released recently might be a perfect fit for the problem. This has been introduced so that keys can be managed in a central place and access can be easily controlled. It also supports HSM-backed service making it very secure.
Here is a artice on Getting Started with Azure Key Vault
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With