Azure Key Vault Key vs Secret Management Explained

Azure Key Vault is a secure way to store and manage sensitive data like keys, passwords, and certificates. This is crucial for any organization that wants to protect its data.

Azure Key Vault can store keys, which are used for encryption, and secrets, which are sensitive data like passwords and API keys. Keys are used for encryption, while secrets are used for authentication.

Keys and secrets are stored securely in Azure Key Vault, which provides a secure way to manage them. This includes features like encryption, access control, and auditing.

Azure Key Vault keys can be used for encryption, and are typically used for data in transit or at rest. Secrets, on the other hand, are used for authentication, and are typically used for API keys, database credentials, and other sensitive data.

Creating and managing Azure Key Vault is a crucial step in securely storing and managing your keys and secrets. To create a Key Vault, you can log in to the Azure portal, click on the "Create a resource" button, and select "Key Vault" from the list of available services.

You can then enter a unique name for your Key Vault, select your preferred subscription, resource group, and region, and choose your pricing tier. Finally, click on the "Create" button to create your new Key Vault.

Once your Key Vault is created, you can start creating and managing cryptographic assets, such as keys, secrets, and certificates. You can create a new secret by running the az keyvault secret show command, or by using the Azure portal to create a plain-text secret with a specified value.

To manage existing cryptographic assets, you can log in to the Azure portal, navigate to your Key Vault, and select the type of asset you want to manage. You can then use the available options to manage the asset, such as viewing properties, rotating keys, or revoking certificates.

Here are the basic steps to create and manage a Key Vault:

To create and manage cryptographic assets in Azure Key Vault, you'll need to log in to the Azure portal and navigate to your Key Vault. From there, you can select the type of asset you want to create, such as keys, secrets, or certificates.

To create a new cryptographic asset, follow these steps:

To manage existing cryptographic assets, follow these steps:

Azure Key Vault provides a range of features to manage cryptographic keys, secrets, and certificates securely, including secure storage and management, key management, secret management, certificate management, and access control.

To create a provider class, you'll need to use the Secrets Store CSI Driver for Kubernetes secrets. This driver integrates secrets stores with Kubernetes via a Container Storage Interface (CSI) volume, as mentioned in Example 2.

You can create a SecretProviderClass using a YAML file, where you'll need to specify your own values for userAssignedIdentityID, keyvaultName, tenantId, and the objects to retrieve from your key vault. The YAML file is called spc.yaml, and it's where you'll define the SecretProviderClass.

The SecretProviderClass will then be used to mount the secret as a file in a test pod. This is done by creating a pod.yaml file that uses the SPC to mount the secret as a file.

Here's a list of the values you'll need to specify in the spc.yaml file:

These values will be used to authenticate and authorize access to your Azure Key Vault.

Creating a Push involves several steps, depending on the type of secret or key you're working with.

You can push secrets to Azure Key Vault into the different secret, key, and certificate APIs.

To push a secret, you don't need any previous setup, as the secret is already available in Kubernetes. Simply refer to it in a PushSecret object to have it created on Azure Key Vault.

To create a PushSecret targeting keys, you need to grant CreateSecret and DeleteSecret actions to the Service Principal/Identity configured on the SecretStore.

First, generate a valid Private Key in a supported format, such as PRIVATE KEY, RSA PRIVATE KEY, or EC PRIVATE KEY.

To push a key, create a PushSecret manifest with the correct configuration.

You'll also need to grant ImportKey and DeleteKey actions to the Service Principal/Identity configured on the SecretStore.

With these steps, you can successfully create a PushSecret and have your secrets and keys securely stored in Azure Key Vault.

Authentication with Azure Key Vault is a breeze. You can use Microsoft Entra identities as Workload Identity or AAD Pod Identity, but it's recommended to use Workload Identity since AAD Pod Identity is deprecated.

To authenticate, you'll need to create a Kubernetes Service Account. This can be done by following a guide, which is not provided here but is a necessary step.

To grant the necessary permissions, you'll need to add a Key Vault access policy. This requires the "Get over secret and certificate permissions", which can be achieved by adding a specific policy.

Here are the steps to create a Key Vault access policy:

This will give you the permissions you need to authenticate with Azure Key Vault.

Authentication is a crucial step in securing your application. Microsoft Entra identities can be used for authentication, specifically as Workload Identity or AAD Pod Identity.

For Workload Identity, the minimum required permissions are Get over secret and certificate permissions, which can be achieved by adding a Key Vault access policy. This involves creating a Kubernetes Service Account.

Service Principal key authentication is another option, where a service Principal client and Secret is created, and the JSON keyfile is stored in a Kind=Secret. The ClientID and ClientSecret or ClientCertificate should be configured for the secret.

To use Service Principal key authentication, the service principal should have proper access rights to the keyvault. This is managed by the operator.

Accessing AKS can be a bit tricky, but don't worry, I've got you covered.

In the cloud-native era, we're likely running our workload in containerized applications, in Azure AKS clusters.

To access secrets from AKS, you can use the same method you used to access them from a VM, but this time, from within the AKS cluster.

You can push secrets to Azure Key Vault using the PushSecret object, which requires no previous setup.

To create a PushSecret targeting keys, you need to grant the Service Principal/Identity configured on the SecretStore the CreateSecret and DeleteSecret actions.

Pushing to a Key requires generating a valid Private Key in a supported format, such as PRIVATE KEY, RSA PRIVATE KEY, or EC PRIVATE KEY.

To create a PushSecret targeting keys, you also need to grant the Service Principal/Identity configured on the SecretStore the ImportKey and DeleteKey actions.

Accessing secrets from a virtual machine is possible, and you can do it by following the steps outlined in the documentation.

Accessing secrets from an AKS cluster is similar to accessing them from a virtual machine, but you'll need to use the cloud-native era approach.

Azure Key Vault Configuration is a crucial step in managing your cryptographic assets securely.

To start, you'll want to use Azure Key Vault for secure storage and management of your cryptographic keys, secrets, and certificates. This ensures that sensitive data is protected from unauthorized access, theft, or misuse.

You can generate, store, and manage cryptographic keys used for encrypting and decrypting data through the Azure portal, PowerShell, or Azure CLI. This feature is essential for encrypting and decrypting data.

Secrets management is another key feature of Azure Key Vault, enabling you to securely store and manage application secrets, such as passwords, connection strings, and API keys. These secrets can be accessed by authorized applications and services without exposing them to unauthorized users.

To manage access to your cryptographic assets, Azure Key Vault provides a range of access control features, including role-based access control (RBAC) and logging of all operations performed on cryptographic assets.

Here's a summary of the best practices for using Azure Key Vault:

Use Azure Key Vault for Secrets Management to store and manage secrets, such as connection strings, API keys, and passwords. This helps keep sensitive data protected from unauthorized access.

Managed Identity is a better option than using a shared access signature (SAS) token or key to authenticate to Azure Key Vault. This provides an additional layer of security.

Access Policies should be used to control access to your keys and secrets, allowing you to assign access to individual users or groups of users. This is crucial for maintaining the security of your system.

Rotate your cryptographic keys and secrets regularly to maintain the security of your system. This is a critical best practice that should be followed.

Enable Auditing to track who has accessed your keys and secrets. This provides a comprehensive audit trail for compliance and security purposes.

To enable Auditing, log in to the Azure portal, navigate to your Key Vault, and click on the “Monitoring” tab. This will allow you to view all operations performed on your keys and secrets.

Here are some additional security features to consider: