Secure key management is essential to protect data in the cloud. Cloud applications and services use cryptographic keys and secrets (like passwords) to help keep information secure. Today I’d like to tell you about Azure Key Vault, which safeguards these keys and secrets.
Azure Key Vault is a cloud hosted service offering secure storage and access for certificates, connection strings and other secrets. It streamlines the key management process and provides full control of keys for accessing and encrypting your data. Administrators can grant or revoke access to keys as needed.
Key Vaults also control access to anything stored within them. Applications in Azure resources authenticate to Key Vault to retrieve secrets. The best authentication method for Azure services is to use a managed identity, as it allows Azure services to authenticate to the Key Vault or to any service that supports Active Directory authentication, without having to include credentials in your code.
With Azure Key Vault, applications never have direct access to keys; administrators can monitor and audit key uses with Azure logging. Key Vault also allows the separation of security maintenance from application development. For example, Key Vault secrets can be used to store connections strings for various resources accessed by Azure Data Factory.
Those connection strings can be updated by administrators without affecting the Azure Data Factory pipelines or having to send new passwords to developers.
It only takes minutes in the Azure portal to create a Key Vault:
- In the portal, click on ‘create a resource’.
- Search for Key Vault and then click ‘create’.
- Next provide a name for the Key Vault and select subscription, resource group and location.
- Finally, select your pricing tier:
- Standard Tier:
- Secrets are the least expensive at about 3 cents per 10,000 transactions.
- Certificates cost $3 per renewal request
- Managed Azure storage account key rotations, protected with RSA 2048-bit keys, are 3 cents per 10,000 transactions.
- More advanced key types that are more secure than the RSA 2048 are about 15 cents per 10,000 requests.
- Premium Tier:
- Pricing is similar to Standard except it also offers HSM protected keys where there is a per key price but the price changes; the price going down with the more keys you have. You can learn more on how this works on the Azure pricing pages.
- Standard Tier:
Once a Key Vault has been created, keys, secrets and certificates can be imported or manually created. It’s simple to manually create a secret:
- Click on ‘secrets’ then ‘generate import’. This will open the create a secret dialogue.
- Choose a name for your secret - such as DevAdventureWorks connection for the connection string to the Adventure Works database and the development environment.
- Then enter the full connection string in the value field and write a brief description of the secret in the content type box.
- Click ‘create’ to complete the process.
Once you create keys, you can use these keys in any of your Azure applications. All you need to do is grant to the Key Vault permissions to access that application and grant in the application permissions to access the Key Vault.
Azure Key Vault is an easy to use service that offers you secure key management to protect your valuable data in the cloud. If you have questions on this or any Azure product or service, we’d be happy to help. Click the link below or contact us—we’re here to help you leverage Azure to take your business from good to great.