Azure Key Vault Deep Dive (AZ-500)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Great stuff, thank you John, I will be sitting the AZ 500 soon so this is gold!

👍︎︎ 1 👤︎︎ u/marbul83 📅︎︎ Apr 06 2021 🗫︎ replies

Been dealing with this a lot at work lately. This is perfect timing. thanks.

Just a quick question and I know it may sound stupid but I just need to ask because this was asked of me.

Key vault is more of a CI/CID tool than a credential manager correct? I'm being asked to use key vaults as a password manager for an org and I'm pushing back because I believe it's not built for that.

👍︎︎ 1 👤︎︎ u/the4mechanix 📅︎︎ Apr 06 2021 🗫︎ replies

Great stuff as always!

👍︎︎ 1 👤︎︎ u/itsnotaboutthecell 📅︎︎ Apr 07 2021 🗫︎ replies

Captions

hey everyone in this video i want to kind of do a deep dive about azure key vault this secure resource in azure where i can store secrets keys and certificates and actually perform operations with it as always if this is useful a like subscribe comment and share is appreciated now do i want to stress one thing right from the start if i'm working with resources in azure many of those support things like role-based access control very granular access even at the data plane so if i can i want to try and use that role-based access control natively on services and trying to avoid using things like access keys wherever i can but there are still times where hey i need a secret i need a key i need certificates so let's actually start off first of all what are we even talking about i say secrets key certificates what what do these things really mean so i can think of a secret as basically something that is just some arbitrary collection of ones and zeros there's no fixed format there's no standards that are enforced it's literally just a whole bunch of ones and zeros and so when we think about that what we really want to be able to do with a secret is well yeah look i want to be able to import that secret in or create the secret but also be able to read it back out so i can both write it and i can read it that's something we want to do an application will go and grab it and then use it to do something so this secret does kind of move around i still want to try and protect it as much as possible i definitely don't want it in source code but it is shared this thing actually gets read by the application and used by the application so it can't just exist in some super secure enclave now that's super different when i think of something like an actual key so when i think about a key we are talking about something that has very defined standards about the format about the randomness that is ensured for the generation of this it can be symmetric or asymmetric so remember symmetric is where the same key is used for example to both encrypt and decrypt asymmetric is when there's a public and private key and if the public key is used to encrypt then only the private key can decrypt now these that private key part remember is super super secret the public key everyone knows about so when i think about keys well absolutely we may want to kind of do an input or maybe a generate but there is no concept of reading that back out now what i will do is within kind of the area i'm going to need to perform certain types of operation and by operation i'm really talking about cryptographic type operations um decrypt something maybe encrypt as well but typically the encryption is going to be done by the public key so i can kind of do that anywhere but only wherever i store that private key can do the decrypt operation maybe signing again i sign with my private key so anyone can then check that so there's certain cryptographic operations i'm going to perform with that and then i can think about well then there's certificates now a certificate is really kind of the idea that well it's keys again but they're wrapped in kind of an envelope and so once again with certificates i can think about well yeah i'm going to bring that thing in because remember we have the private public key as part of that so again i can kind of import that or i can generate a self-signed but also i can actually go and get that thing i can bring that out because once again this has that concept of kind of the the public part and it has the concept of that private in that kind of envelope now again these keys could be asymmetric or symmetrical so maybe there's public private part maybe it's just a single key but what i want to do with certificates also is we kind of think about well the life cycle and the life cycle could actually be hey i'm requesting that certificate from a third party public ca it could be renewing the certificate it could also be kind of the distribution of that certificate so i may actually go and interact with things like a public ca i might go and distribute them to kind of machines there are various actions i want for certificates so now i think about okay well what is this service and those things i kind of just drew are all based around well this is what i want to do with azure key vault it supports secrets keys and certificates and that's what its job is now when i create an instance of azure keyboard i'm going to create it in a certain region so this here is let's say it's in region 1. now that could be east u.s it could be west u.s wherever that is but the kevo is created in a specific region that's kind of an important thing to know and it's going to focus on those three types of data that i just talked about so the easiest way to understand this is we could kind of go and take a look at this so if i jump over to my key vault and i can go to my key volts and i have two now i'm just going to focus on kind of this second one for now but actually even before i did that notice i can say hey i want to create a new keyboard and the key part is i give it a name for my keyboard over here i pick a region where i want to create it then there is a pricing tier standard and premium and they're really the options we have is the region and the pricing tier now you'll also see some other options soft delete is always enabled now i'm going to talk about that later on i can turn on push protection which we always recommend you do and i can set a number of days for that and then there's this access policy that again i'm going to come back to but it's really not a lot i do hey give it a name a region and the pricing tier now once i've actually done that i'm going to come out of this we can see we basically break it down into those three types of object keys secrets and certificates and if we look at keys for example well i've got kind of a key here i can select that key and look at it and notice i can download the public key there's that kind of button up here i can get pen file with the public key but i can't get the private key there's no way for me to go and extract the private key because keys again i can import them in or i can generate them in azure key vault but i can't get it back out the private key is considered this super super secure thing i do not want to leave the boundary of azure keyboard now i can generate import one let's say it can actually do a generation i can select the key type rsa or kind of the elliptical curve the key size i can set expiry dates which is a good practice for these types of things or i can import or i can restore a backup so an input would be hey i've generated this using some secure technology on premises and then there are again technologies to actually securely import those into the keyboard i'll give it a name and it would generate a new key for me then we can think about secrets well again a secret is all about well it's something i store but also i can just read it back you notice here i have this option to hey show me the secret value so if i attach that there is secret value is password so it's storing it securely but i can go and fetch that thing back out if i want to and then there's certificates so again i've got this self-signed cert now the way this generally works is for the certificate life cycle is it can actually talk to certificate authorities and there are i think two key ones kind of support you today digit and global sign so when i do this it will actually go and do things like hey request the new certificate automatically renew it for me and then again it can help with kind of the distribution but here on my certificate here you can actually see hey there's issuance policies around it um i can go and look at this and i can actually download the certificate so i can actually go and get the private and public key of the certificate so that's all available to me so i've got those three key types of objects so certificate management is all about that birth to death of the certificate authority that's kind of the key point with that now you also would have noticed for all of those things there were versions so you notice when i looked at the certificate there was versions the keys there were versions secrets there was versions that's not really native to any of the types of data that's really just azure key vault forms a relationship between hey i can create a new secret call that new version of this particular one and it helps with applications so that i can kind of rotate nicely and that older version is still there to carry on being used until it rolls over and use the new one so we have this concept of versions hey create a new version of the secret maybe i want a new password hey i want a new version of the key every six months i rotate the key for example so we have that version concept now you saw when i created the azure key vault there was the concept of standard and premium and maybe the easiest way initially is if we look at the pricing so if i look at the pricing details of azure key vault so you can understand what the difference is it really boils down to one thing and one thing only you can see standard and premium so secret operations the same certificate operations the same okay that's weird software protected keys are the same hsm protected keys standard not applicable okay but on the premium we now have this idea of the hsm backed service so the key point with this is that for standard it's all software-based protection for my azure keyboard so we talked about these kind of three types of operation and so then i can think about well there's kind of this standard tier and i can think about kind of let's bring this in a bit a premium tier now no matter what here i'm doing the key point here is really instead of standard and premium i could almost write software and hardware so here standard is always going to be software protected as is the premium so what i can actually say here is well i'm going to write premium as well because premium does actually use software for certain things but then premium can always also use the hsm for certain things but only premium has access to hsm standard and premium have access to software so secrets are always stored in software so whether i'm using standard or premium secrets are stored in software whether i'm using standard or premium certificates are always stored in software now for keys both standard and premium can store in software but only premium has also the option to store it in hsm so remember hsm are these these security modules that actually use hardware to protect and perform the various cryptographic operations when i perform something like um a signature it's done within the hardware never that key never leaves the boundary of that hardware so this is only premium i cannot use a hsm in a standard type of account so that's kind of the huge difference between them premium lets me have the option of creating a hsm backed key and so it's going to cost me a bit more money if we go and look at this for a second so let's look at my volts so this volt my savile volt are back and when i look at the pricing tier notice the pricing tier is standard which means i can only do software so when i create a key my options are rsa and ec that's all i can do if i go and look at my other key vault we can see the pricing tier here is premium so now when i create a key notice i also have two additional options das hsm so these will actually now store and generate that inside the hsm and do the cryptographic operations inside the hsm and that is literally the only difference between them i have that option to have that hsn protection when i maybe need that even higher assurance of the security i want to go beyond just software now there is actually a kind of third option so i'm going to draw a terrible line right here if i kind of think about these there's also is terrible like there's also a managed hsm so the managed hsn what this is basically doing is so remember with premium i can still create secrets and certificates in software i still have the option to create keys in software but i also have the option to create hsm backed keys with a managed hsm i can only create hsm backed keys so this is only i cannot create if i create a managed hsm i i cannot create secrets i cannot create certificates i cannot create software-based keys i'd have to do a different vault for that and what's happening here is this managed hsm is actually so this is a dedicated hsm partition so within the physical hsm constructs it actually supports partitioning so think of this as its own security world it's completely isolated from any other um also things like confidential compute enclaves are leveraged as part of these solutions so if i'm thinking hey key volts and maybe i need to go even another step and with the hsm there is this concept of a managed hsm as well but for most of us mere mortals we're going to focus on kind of those premium and standard and again the only difference is premium can also create hsn back keys but it doesn't change anything about the way i interact with it now i guess there is one um other thing you can do technically speaking with the managed hsm for these keys these are all asymmetric it's using rsa or ec as you saw elliptical curve so both of those are asymmetric algorithms public private key managed hsm does also add the option for aes so aes is a symmetric algorithm the same key used for encrypt and decrypt etc so if i do the managed hsm i'll get an additional option where i can actually use aes as well whereas these are all kind of rsa or ec as you saw when i kind of showed that example so that's kind of those those key differences between them and you can see which one i want i'll pick the the various one now it's about versions already but just to show that super quickly if i go back over to my savile volt rbac and i can kind of look at my key it was just a current version but i could absolutely say hey i need a new version i say i want you to generate it and create and that's it and if i refresh there i have a new version but the old current one now becomes an older version i can do exactly the same thing with secrets so if i looked at my secret 2 here's a current version i can create a new version of the secret um and i put that in i can put a content type i might just say hello you don't have to put that or i could make that a requirement i might say i know it's a password or something create so now once again i have a new version so i could look at that i could see oh it's a newer secret and then the older version we're still there that was another password so i have this concept of versions as things change as i kind of rotate those things around now one of the things that can happen this is where we start talking about some of the configurations it's obviously i can delete these things i could delete a key i could delete a secret and the whole point of these things that i'm having over here is they're going to be used for things like a secret um it's access to something a key i might be using that to encrypt something so imagine i'm using this key to encrypt a storage account and then i delete it that's a pretty pretty bad day for me because now i've not just lost the key that key was used to encrypt the data encryption key that encrypt blocks of data in my storage account and i've now lost it so there are two key settings we think about the first is soft delete so this means hey when i have soft delete turned on even if i delete it i can go restore i can get that back so we always want kind of this soft delete option turned on in our environments and then the other thing is they called purge protection post protection basically says hey it doesn't let me purge things i've deleted prematurely so otherwise i could say if i was malicious i could delete it and even if soft delete i could then go and purge it quickly so i mean look at our key vault so i'm going to come to this when we talk about best practices well i'm going to focus on this a little bit more but on your key vault you'll actually see you have this concept of soft delete and purge protection and these are one way operations once i turn these on i cannot turn them off so if i look at soft delete well it's enabled it's 90 days and i cannot change it i've also got purge protection turned on i cannot change that i cannot turn it off and the default now is you kind of saw it when i create a new key vault i can't select to not have soft delete anymore but i can opt not to do purge protection my recommendation would be kind of always turn that on you really do want that see i've got that on both of mine so those are very useful technologies to really help protect you from yourself or bad people doing things in your environment so now let's talk about how do i control access we've talked about well these things are super important i'm encrypting data i'm signing things it's validating i am who i say i am well i need to make sure only the right people the right applications can actually access it and there's actually two ways to kind of control access to things i can actually think about i don't want to use red because that's something bad we'll do purple so we have the concept of access policy or i'm going to do this in green role-based access control and from my colors you can kind of guess which one i'm going to kind of favor on here so access policy was the original and the the issue of access policy and we're going to give this one a little star because we like this one the best it applied to everything in the vault and what it would basically let me do and let's just look at this is i could only give permissions to a type of object so this is my savile volt over here if i look at access policy you can see my mode is vault access policy and what we see here is i create access policies so i can say well here use a clark kent or it could be a service principle it could be managed identity i give it permissions to the three types of objects keys secrets and certificates those permissions apply to all instances of secrets in this vault i cannot be more granular i cannot give clark access to two secrets but not others so if i wanted that kind of granularity i'd have to create multiple key volts so that's why we prefer the new model with role based access control you can see now those policies have just gone so now instead i can set things at the volt level still i could give someone certain roles at the vault so like me i'm a keyboard administrator clark kent can read the objects but not actually get access to the data plane from there but then i can dive into detail and see well for secret one it has its own access control and i can see well secret one okay well bruce wayne over here has key vault sequence user so bruce wayne can use that secret i.e get it to actually use it whereas for secret two this time the key vault secrets user it's actually two here okay but i can see a function has access to it and so does clark kent so let's see clark kent actually has access to this one so it's granular at that kind of item level just checking sync here second um there we go okay and you notice actually on this one there's this weird demo vm has key volt sequence user for secret one and i'm going to kind of show that in a second so here i've got a different session this is actually logged on as clock you can see here in the top right corner so clark kent because he's got key volt reader well clark can see everything i can see there's two secrets i can go and look at secret one but hey this operation is not allowed by rbac i can't see the current version and i can't i can't do it i can't get access to the secret values i don't have permission whereas if clark looks at secret two remember on secret 2 clark has at an item level that key volt secrets user permission so on secret 2 i can look at the current version i can actually see the value so we have this super granular set of permissions to say exactly what can be done so generally we're going to use that i don't really want to have a ton of separate vaults if i can help it now i could give different apps permissions at individual secrets individual keys individual certificates i now have that capability okay that's good for a user most of the time this is not users leveraging these things most of the time i'm going to have a resource so i can think about okay well i have a resource in azure now that could be a virtual machine a function something so the best thing i can do here if i can is you get a chicken and egg problem because i have to be able to authenticate to key vault well if the password's in key vault how do i prove who i am to be able to get access to authenticate to get access to the secret so we solve the chicken and egg problem by resources in azure can use something called a managed identity this is kind of a native azure feature so just by being that resource i can turn on this managed identity system assigned where it's just automatic life cycle tired to the resource or user it can be shared by multiple resources so now that managed identity i can give permissions via our back i could have done access policy as well but again we don't want to do that big generic thing to certain secrets so it will authenticate as the managed identity and i give the managed identity permissions through our back and we can see that so if i jump back over remember on that other secret what we're looking at right here this secret one remember demo vm interesting so what i did though is i did add role assignment my role wanted to be able to access the secret so it's a key vault secrets user and then i selected was a managed identity and i selected my vm and i selected my virtual machine now again that virtual machine is nothing special at all i just on that virtual machine turned on its built-in system assigned managed identity now what that means is from that vm so if we jump over actually before i jump over i'm going to copy one little bit of code because i'm lazy so if i have a managed identity i can actually just authenticate as that identity i can do connect az account dash identity use my built in managed identity so i can take that which would take all of this big block of code because i'm very lazy and if we jump over to here and just to save that code for a second i'm just going to paste that so the first thing we'll actually do is let's actually authenticate in this window so i want to use the managed identity no it's not working so i'm trying to be lazy let's try one more time we go so we can see it's authenticated and i didn't give it any credential but it just authenticated as its kind of self it's this msi so now all i'm going to do is from here i'm going to take this entire piece of code now what this code is fundamentally doing is it's really the first line it's the important part so this first line is saying hey get the secret from the azure key vault so if we just paste that one line notice it worked now let's prove a point because remember i only gave the managed identity access to secret one if i try and get secret two it fails i do not have permission so the manage identity only has permission to secret one but now and this this basically just takes a secure string and shows it that's all this blocker code does so now i'm just paste all of that in and there's password so that shows how if i'm an azure resource fantastic i'm just going to use managed identity and then give the manage identity if i still need access to some secret or something else now again remember if i have managed identity and i'm accessing an azure resource in an ideal world i would just use our back on whatever that target resource if it was a blob storage account i can do data plane rbac so we'll just give the managed identity direct access at the data plane using role based access control on the target resource i don't want to mess around with an access key or something else but maybe maybe i can't it's a resource that still uses an access key or i need a key for saying else or i need a secret i will secure it with that managed identity so that's great but what about then if that's not the scenario what about if i'm something on premises and i'm a resource and once again i still have that challenge that i have to authenticate i have to off to azure key vault before our back will kick in and say okay we all this person then you have access to these things managed identity is easy if i'm in azure if i'm on prem um you're really back to a service principle there's really nothing else for it this is where i would have a service principle so remember a service principle is something i create in my azure id and i'm going to authenticate either using a secret i.e password or it's going to be a cert so it's preferred but realize you're back in that kind of chicken and egg scenario a little bit here so i'm running my code on prem i'm going to use this secret or this certificate to authenticate to azure where am i storing this uh i don't want to put in my code i don't want to put in my config file so now i'm i'm really back to the idea that obviously i can't store it in key vault because i have to authenticate the key vault to get this stuff out so one of the things now you're back to is well on premises i need some local kind of vault technology ideally where i could store these things securely so not in my code and there were various solutions out there for this i know hashicorp has them powershell has kind of this idea of a secure store now but think about that under no circumstances like stick it in your config file or your source code that then goes and sticks uh into github or azure devops or something and then you have a bad day but the whole point of all of this is this r back gives me this granular set of permissions which is fantastic so this is why we want to do this but just realize hey i have to authenticate to key vault to get access to the stuff so you're going to have a service principle now i did a whole video on kind of unattended authentication to azure my demo is based around powershell and a storage account but exactly the same thing would apply here so go and look at that video and i walk through using a managed identity i walk through using a secret and i walk through using a certificate so you definitely kind of want to use that if you're using azure arc on premises so azure arc is the idea that's kind of art for servers it's bringing the azure manageability um to on-prem so the art for service has a local managed identity concept that's just automatic and it can be used to authenticate to things like key vault so if i'm using arc potentially hey arc has a managed identity concept so maybe i can use that if i'm doing that kind of arc for servers so you could definitely maybe take a second and go and look at that the only other thing when i think about permissions on my key vault itself is if i'm using the key vault for things like arm templates or data encryption sets i have to say yes i'm allowed to do those things so on my keyboard my access policy you see these hey enable access to so if i want to use it for things like bitlocker um for just regular hey i'm using it for an arm template if you want to use it for a disk encryption set the ade then i have to kind of turn it so not disk encryption set for the azure disk encryption like the bitlocker stuff i have to turn these on all those resources won't be able to actually access it so it kind of talks through hey look here vm's permitted to receive allowed to retrieve secrets is allowed to retrieve secrets it's kind of the wrap and the unwrap so make sure you turn those on if you're using those various and types of options so that's all about permissions okay great that's about hey i'm authenticating and what i can do and i'm going to join these lines to access kind of the data plane of my key vault what about actually the connectivity to it so i can think that yes there's like all azure resources there's controls on the service and it really is in common with all of the other azure services i can kind of restrict to certain ip addresses i can restrict to service endpoints remember a service endpoint is where once again i'm kind of a resource in azure and i'm a certain virtual network so that's a v-net and then i have a certain subnet so the service endpoint is when i make that subnet i turn on the service endpoint for key volt and it makes it a known entity so kind of subnet one and i can say hey yeah subnet one i'm gonna let you come through and i get kind of this optimal route i can also do private endpoints so remember private endpoint is when i basically project so once again i can think about here this is kind of azure key vault a private endpoint creates an ip address i'll just say private endpoint inside that virtual network i specify and there's special dns entries i add but now i'm accessing it via this ip address so i can really kind of lock that down so if we go and look i just go and look at my networking and right here i can say okay i could add certain ip address ranges these are public facing ip addresses i want to be allowed to access i could add a virtual network now again the way a virtual network works is a service endpoint if i just quickly went and looked at some of my virtual networks look at this one and i looked at a subnet you can see all my different subnets over here notice i can turn on service endpoint so here if i type in key there's key vault so i could enable key volt service endpoint for this subnet now that just makes it known it doesn't give it permission so then once i turn on the service endpoint i don't technically have to do it in advance it will actually do it for me in one go but then i could actually go to my key vault itself and then i can say hey i want to add an existing virtual network and what subnet do i want and basically it's going to say hey look i didn't turn that on but it will offer to create it for me so now i can actually go and add that subnet so only things in that subnet would be allowed to actually come and talk to me or i could lock it down by private endpoints i could go and create a private endpoint in a particular network and restrict access to only things coming from that private endpoint so that would be kind of an option for me as well so i have all of those different ways i can think about controlling access into my keyboard so we think the two different levels we think about yes kind of the granular role-based access control and on who the person is that are back and i can think about controlling from the network perspective and that that traffic actually coming in so from that network access perspective this is all great super granular controlling the access on the network all these great types of things that exists in a region what if something happens to the region and so what happens is remember in azure regions are paired so there's this built in pairing of regions now i don't get to pick these but there is a pairing of them just native you can go and look these up and what is happening here is this replicates to the paired region again i cannot pick a different region but it is going to replicate to that paired region and if we go and look at the documentation let's look at this this shows me what the paired regions are so i can quickly kind of see okay well based on the regions what are the various pairings within them that's where it would actually be now remember the keyboard is not restricted to the local region so even if something happened and it fell over and i was trying to use it in a different region i can still access this if something happened to this region the dns entries are automatically updated and will redirect to the paid region i don't actually have to do anything but what about if i want to do a backup remember certificates i could just write my own thing to fetch it and write it somewhere else certificates i can fetch it and write it somewhere else keys i can't um i kind of focused on public private here remember this depending on if it's symmetrical asymmetric there's public private there as well i can't get the private key there's no way to get that out in a format i can do anything with well that's not strictly true so one thing i can do is i am allowed to back up so i can create a backup now that backup can be restored now where can i restore it so i can restore it to any region in the same security world which really in most cases basically means the same country so it's anyone in the same country the same security world so if i was in east u.s i could restore to west u.s but i couldn't restore to europe and the way i can see what those are is if you actually go and look at the azure regions there are tabs and the tabs represent those security worlds those countries so if i actually look at this for a second let's have a quick look so firstly we can see the documentation talks about that restore and the restore tells you where it has to be the same subscription and they have to be the same geographic location okay so what is the same geographic location and the geographic location basically boils down to it's saying the major headings in the tables those are the security worlds so if i go and look at azure regions the major tabs are united states mexico chile canada brazil if i was to go and look at i don't know united kingdom so i could only back up and restore to these that's the key point i could not back up from germany west central and restore it to united kingdom it has to be the same security world so that's kind of the key point if i want to use kind of those built-in capabilities yes i can backup and restore but i have to back up from a store in the same security world because of the way behind the scenes when you do that backup it's encrypted so that only something in the same security world actually can decrypt it so i'm saying the same country here but the really the point is it's the same security world that is kind of the the big feature it's the same security world so i can back up i can restore so anywhere in the us i could back it up and store it somewhere else i can absolutely do that now i also mentioned that hey i can access this key vault from other regions but realize some resources they want the keyboard in the same region as the resource like a storage account it wants the key volt in the same region and sql transparent data encryption tde wants the keyboard in the same region there's latency there's controls around that so for some services like sequel is a good example i can have asynchronous read replicas in other regions if you follow the guidance it will talk about hey yeah you need to create a keyboard in every region i have a sequel async read replica and it's kind of my responsibility to make sure the same key material is in each of the keyboards so in that case i would probably create the key locally and i would do that kind of secure impul into the key volts in all four of the regions if i had four async read replicates so that would be my responsibility to do that so that's kind of a key point another good thing to use is azure policy we talk about azure policy all of the time as a way to kind of set guardrails set these controls keyboard is no different if we actually go and look at azure policy there are a massive great things we can actually do now i talked before about kind of different algorithms and key lengths um i talked about how long saying should last for expire is so if i go to policy look at my definitions if i change the category let's unselect everything and we just look for key vault there is a mass of different things about key vault now there's some obvious ones hey i should have purge protection enabled i should have soft delete enabled yes yes yes all day long yes i can turn on things like hey i should have a private endpoint but what i'm interested in the things like hey look certificates should have a maximum validity there are allowed key types keys should have expiration dates keys should have secret should have maximum validity so i can go through and actually all of these different things hey look keys using rsa should have a specified something let's see what that is uh i see maximum key size so i have all of these options that hey i can really control what my azure key vault should look like i can lock all of those things down to make sure it is exactly what i want it to do so go through those you have policies in your organization i'm going to start using keyvault work out what your policies are be able to write them down and then i can use azure policy to actually think about enforcing them so really make sure i'm not quite sure where to put it on this picture i've got so much stuff on here but kind of use azure policy i'll just draw in kind of the always add azure policy we want that at the arm levels no matter what we're doing power shells it doesn't matter what it's going to enforce those things for kind of that governance so with that said um i talked about kind of best practices and i just wanted to kind of go through uh a few little things when i think about really ways to use this and kind of avoid getting in trouble so best practice this is so rule one funnily enough back up your keys and by saying i'm saying keys but you want to back up everything you have now you might say why am i doing this remember azure's already replicating it honestly if you have soft delete and i have purge protection turned on i'm in a pretty good place because i i'm i'm pretty protected so as long as i have kind of that soft delete and i have purge protection as long as i've not got silly values i should notice something's a mess before it impacts me in a negative way and i should be able to bring them back but the reason we're doing this is really for two key reasons uh i can think about well it could be an insider mistake someone's not focusing and they delete this key they delete the secret my mistake whoops uh wrong button i wrote wrote the script that wasn't very good i left off what if and i've wiped away and i now can't get to my storage account with these things i could just restore it anyway or it could be a malicious insider or attacker or whatever that could be and again this would protect me from that to a certain degree but if i have a backup of the keys it really just helps me so i think about hey definitely these are best practices have this soft delete turned on make sure you have purge protection turned on again that soft delete is all about hey i'm softly for x days whatever you have that suit i think 90 is the most have that turned on but make sure you kind of back up those keys it's good to have that i would think about make sure you use rbac so i want to use role-based access control i don't want to do those vault level and make sure you're kind of doing least privilege don't give people access to more than they need don't give them rights beyond what they need just individual secrets the nice thing here is with the r back i can use things like mfa i can hook into things like conditional access i can do those same things to kind of lock down and control and if i'm using r back i can also use pim swimmer pim is that privileged density management i.e just in time so maybe i'm sort of some administrator with heightened permissions well i have to elevate up before i get the permission and then i can do the various things so i think about using that um make sure you've got audit logs turned on so i can see who is doing what so i want my audit logs that's kind of super important again that's diagnostic settings and i can send it somewhere that will also give me things like insights as i go through and i guess if i write my own custom applications the idea of having kind of primary um secondary credentials so i can rotate them so again this is more about my apps built-in stuff is going to do this automatically but think about the idea of a primary and a secondary because then hey i can be using one i can rotate the other then my app can switch to using the other one it just makes it much easier for my application to actually use so there's some of the things that i would think about for my application now there are limits to key vault if we quickly go and look at the limits i mean they're huge i would not really anticipate they cause you a problem so here i can see here are the key types of transactions i can do so hsm key transactions um 1000 250 125 this is every 10 seconds then the software keys so this is about keys and then for secrets um other types is 2 000. that's a lot so 2 000 every 10 seconds you really shouldn't be hitting those limits i mean the way you're going to write your application is for most things you're not constantly going and getting this from the vault every time you do sync you might go and get this it's stored in memory or something you're using it you're unwrapping something so but just be aware that there are limits to what i can actually do and how i can use them which brings me to really one final thing and that's really about using those for rotation so i thought about things like all this primary secondary key and then many services in azure actually use azure key vault or they might use like this internal bootstrap version of key vault that removes some dependencies so it's kind of uh more available for some of the start-up scenarios so with services in azure many of the times i can do like a microsoft manage key which is where it might use keyboard it might use this bootstrap version where i can use a customer managed key so with that resource i can think about okay because we want that encryption at rest so i have some resource and i really want that encryption at rest so once again i can have the idea of kind of the microsoft managed key where i don't really do anything or i can have this kind of customer managed key and again that key is going into azure key vault and you can see this if i go and look for example i really any service there is but if i just pick a storage account for example i can do my encryption you can see i'm using a microsoft managed key but i could change it to a customer manage key if i select that it's going to say oh okay well it's from a key vault which key volt is it in so i'll say okay it's in that key vault and it will either say hey use a key you have or i can create a new one but that's now in my key vault and pretty much all of the services are going to give me that same option now the issue then really becomes okay that's that's great what about the rotation of those things so it's now my responsibility have said hey i want to manage that but i have to rotate it now so this is a huge thing that i am responsible for now remember i can use things like azure policy to remind me remember i can set those policies about kind of uh lifetime how long it can last for the key durations all those things so we'll say hey look you're coming up to this point you need to rotate this and what really my focus here is be aware different services do different things some services hey so i have my key so i've got this key custom managed keys and azure key vault so fundamentally i have a key and remember we have versions so i as the person can say hey new version that could be generating it it could be importing it but i've created a new version now different services will behave in different ways something like azure storage things like actually now data encryption sets which are used for managed disks they will just automatically see it they will auto see there's a new version and roughly one hour switch i don't have to do anything else sql server is different sql server because i might have those async read replicas in different regions i need the same key material after i rotate to a new version i have to do something so something like sql today and this could change um it's manual it is not going to say hey there's a new version i'll start using it i have to say okay i'm going to go and use this new version when i click this button and the way you can generally tell because there's like 70 of different services that use this the way to generally tell is when i do the configuration when you do the configuration you have to tell it the key so you're saying hey i want to use this key for the encryption when i tell it the key if i don't have to say a version then i'm going to expect it to be automatic i create a new version that service i didn't tell it a version to use i just said use that key within some time frame now is pretty typical it will just see the new version and start using it so this is the config of service so this could be again um an azure storage account this could be an app service app services can now just point to a secret or what a key whatever that is and we'll just automatically go and get the new version now didn't used to do that if i have to say a particular version when i do the configuration then it's going to be manual hope that makes sense if when i'm configuring the service to use a customer managed key and i have to tell it a particular version of the key then when i create a new version i'm going to have to update it to now use that new version i've generated if when i configure the service i didn't have to do that and i just said hey use this key and i didn't say a version well it's responsible for going and getting the version and doing that auto rotation i still have to create the new version of the key but i don't have to go and tell the service to start using it it will just kick in at a certain point azure storage is actually an interesting one azure storage also has the idea of the access key which is kind of those two keys that give me global access that can actually be stored as a secret and azure key vault there's actually kind of some extra stuff that will automatically go and rotate the storage account key on the storage account and store that new version as a secret and azure keyboard it's kind of an add-on thing but that's not the encryption at rest the encryption at rest is done using the key that's kind of the key point um for that but those are really the key things i want to kind of point out um for this so as your key vault kind of super powerful i can have those three different types stored within it use role-based access control i can control the network access through things like service endpoints i can use private endpoints it's going to replicate automatically to the paired region but i can backup and restore to any region in the same security world are you the same country i do have to authenticate to the key vault to get those things so if i'm a resource in azure again ideally i just use my native managed identity and use our back at the data plane to the resource but if i can't if i still need a key or a secret or something else then i can use the manage identity to authenticate to key volt and then use the r back on the managed identity on premises if i'm using arc maybe i can leverage its native managed identity but for most things i'm going to need a service principle in my azure ad and then use a secret or certificate then i have that chicken and egg problem i'm going to have to store that somewhere locally to then be able to authenticate remember there is the standard and premium premium the only difference is i can have hsm backed keys hardware always in the hardware these are asymmetric keys public private and there is the managed hsm as well which adds a symmetric the aes went through some key best practices back up your keys use that r back the least privilege turn on audit logs primary and secondary and if i'm using these keys for kind of a customer managed key for services basically if it doesn't make you select a version it's going to automatically pick up when it's rotated for me if i have to say a version hey it's going to do that and i had one little demo i think i'll just show it super quick so all i'm going to do in this is i'm actually just going to show you encrypting and decrypting something so what i'm going to do first of all is i i need a token um for myself so what i'm gonna do here is i'm gonna get a token using my current context for the the audience vault.azure.net so it's going to actually create me a bearer token i'm going to create an all authentication header with that token in it and then all i want to do is encrypt sync so what i'm going to do is encrypt the word hello world so basically i'm going to create an encoded version of hello world and i'm going to say hey i want to encrypt with the rsa one underscore five now remember when you encrypt something to someone you're encrypting with their public key so then only they can read it technically i don't have to use key vault for this i could just do this anywhere but i'm being lazy so i'm gonna use the encrypt version of the key vault and the public key here to do the encryption so i'm going to use a web request to my vault and to my signing key and i'm actually specifying a particular version of the key so i'm going to send that and i can look at the headers i can look at the content but fundamentally i've now got an encrypted version of hello world so that's kind of that encrypted version down the bottom so now i'm going to do is create a new body with the value is now that encrypted string and again we could look at that encrypt encoded hello so hello world just looks like that sgvs the equals is a padding you always get these sets of three characters so it's kind of padding it with that equals so now i'm creating a new body with that encrypted value in it and now i'm encrypting it using the same key but now we use the private key but now i'm asking it to do a decrypt instead of the encrypt so i'm sending it and what i got back now is i can actually just quickly look at what it sent me back notice it doesn't have the trailing equals it doesn't put the padding in for me so i'm just adding a pad equals and then that that's it now just need to convert it from a base64 string and hello world so you basically saw me there very quickly but i kind of wanted to just show it for a bit of fun that was just me using the keyboard again the encryption i encrypt with someone's public key i didn't have to use key vault for that it puts it there as it's being nice but i don't have to now if it was aes and it was symmetric then i would definitely have to use that to do the encryption because that's where the key is but what you saw me doing just here is hey i sent to the key vault hey encrypt this for me it sped out the encrypted text using the public key and then i send it the encrypted version in saying hey decrypt so it uses the private key and it gave me the value so that was using kind of just the rest interface super easy to get a token for that as you saw through the powershell as in the github repo that i'll link in the description just want to end on fan just showing the key vault actually encrypting and decrypting tank so that was it um i hope this was useful until next time take care you

Info

Channel: John Savill's Technical Training

Views: 12,295

Rating: 5 out of 5

Keywords: azure, azure cloud, azure key vault, vault, secrets, keys, certificates, encryption, access policy, managed identity, service principal

Id: kP7KpfToMkg

Channel Id: undefined

Length: 67min 42sec (4062 seconds)

Published: Tue Apr 06 2021