Written by: Robin Joseph, Team Lead – Cloud Operations, CG Infinity Inc.
Key Rotation in Azure
In Part 1 of my blog about Securing Secrets in Cloud Environments, I discussed the importance of securing secrets and the timely rotation of secret keys. I also considered what is a secret and the services provided by AWS to store and rotate secrets. In Part 2, we will discuss the services provided by Azure to securely store secrets and key rotation.
Azure Key Vault
Microsoft Azure provides the Azure Key Vault service, a cloud service that provides secure storage for secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. All applications that have authentication embedded and use secrets to access any other application or service can refer to this secret. Then you only have to update the new key in one place and all applications referring to that key are automatically updated.
Benefits of using Azure Key Vault:
- As the keys saved in vault will be served via URIs, this avoids the risk of accidental exposure and storage of keys in non-secure locations.
- If your organization needs security compliance while requiring the Key Vault, Azure Key Vault is a good option, as the Key Vault service is FIPS 140-2 Level 2 (Vault) / FIPS 140-2 Level 3 (Managed HSM Pools) compliant.
- Key usage details are logged, so the log data can be used for audit purposes in case of any key compromise situation.
As described in the previous blog, Key Rotation is the process by which you retire an encryption key, secret, or password; and replace the old key by generating a new one in a timely fashion.
Manual and Automated methods of Key Rotation Manual
Consider the scenario of more than one application connecting to a database. Usernames and passwords for the database connection string can be stored in Azure Key Vault. Using the Azure Key Vault Secret Client Library, these applications can retrieve secrets from Azure Key Vault and authenticate the database. Now, when Key Rotation mandates a password for the database, you only need to update the new password at one place, Azure Key Vault, and all applications referring to the Key Vault will retrieve the updated password. Azure Key Vault Secret Client Library is now available for .Net, Node.js, Python and Java programming languages.
Authentication secrets for an Azure hosted service can be rotated automatically and save the secrets in Kay Vault. For example, an Azure SQL Server password can be updated using an azure function app. The complete flow will be as follows:
- Azure Key Vault publishes an event to an Event Grid about the expiration of a secret.
- Event Grid calls the function app.
- The Function app generates a new password and creates a new version for the secret with the new password in Key Vault.
- The function app updates the SQL Server with the new password.
Azure Key Vault streamlines the secret, key, and certificate management process and enables you to maintain strict control over secrets/keys that access and encrypt your data. This expedites the overall project delivery by having developers create keys quickly for development and testing, and then seamlessly migrate them to production keys.