Azure KMS provides a centralized and secure way to manage encryption keys for Azure services, such as Azure Storage and Azure Key Vault. This ensures that sensitive data is protected from unauthorized access.
With Azure KMS, you can create, import, and manage encryption keys, as well as rotate them regularly to maintain security. Regular key rotation is a best practice to prevent key compromise.
Azure KMS supports multiple key types, including symmetric and asymmetric keys. Symmetric keys are used for encryption and decryption, while asymmetric keys are used for key management and authentication.
Azure KMS integrates seamlessly with Azure services, making it easy to manage encryption keys for your cloud resources.
Azure KMS Management
Azure Key Vault is a Key Management System (KMS) that securely stores keys in a Hardware Security Module (HSM) at rest. This means your keys are protected from unauthorized access.
Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, Azure Managed HSM, Azure Dedicated HSM, and Azure Payment HSM. Each option has its own FIPS compliance level, management overhead, and intended applications.
You have two options when creating a key in Azure Key Vault: software-protected and HSM-protected keys. Both options store the key in an HSM, but the difference lies in where the cryptographic operations are executed.
Here are some key benefits of using Azure Key Vault:
- Securely stores keys in an HSM at rest
- Provides two options for key creation: software-protected and HSM-protected keys
- Executes cryptographic operations in an HSM for HSM-protected keys
- Uses nCipher nShield HSMs for secure key storage and operations
Thales offers advanced encryption and centralized key management solutions that can be used with Azure Key Vault. This includes features like data mobility, secure key management, and attack detection.
If you can't bring your own encryption, you can use the CipherTrust Cloud Key Manager to manage keys externally using Azure's Bring Your Own Key API's. This reduces key management complexity and operational costs.
Pricing
Azure Key Vault Standard and Premium tiers are billed on a transactional basis, with an additional monthly per-key charge for premium hardware-backed keys.
The transactional billing model means you only pay for what you use, making it a cost-effective option for many users. This approach can be a huge relief for businesses with fluctuating workloads.
An additional monthly per-key charge applies to premium hardware-backed keys, which can add up quickly if you have a large number of keys. You can find more information on pricing for these keys on the Key Vault pricing page.
Managed HSM, Dedicated HSM, and Payments HSM are billed at a fixed hourly rate, rather than on a transactional basis. This means you'll pay the same amount every hour, regardless of usage.
For detailed pricing information, including hourly rates for Managed HSM, Dedicated HSM, and Payments HSM, check out the Key Vault pricing, Dedicated HSM pricing, and Payment HSM pricing pages.
Azure KMS Encryption
Azure KMS Encryption is a robust solution that allows you to protect your data in the cloud. Azure Key Vault and Azure Managed HSM have integrations with Azure Services and Microsoft 365 for Customer Managed Keys, enabling encryption-at-rest of data stored in these services.
You can choose from various key management solutions, including Azure Key Vault, Azure Managed HSM, Azure Dedicated HSM, and Azure Payment HSM. Each solution has its own strengths and weaknesses, so it's essential to select the one that best fits your needs.
Encryption-at-rest is a critical aspect of data protection, and Azure Key Vault and Managed HSM offer seamless integration with Azure Services and Microsoft 365. This means you can use your own keys in Azure Key Vault and Managed HSM for encryption-at-rest of data stored in these services.
To encrypt data in Azure Key Vault, you can use RSA keys for asymmetric encryption. However, to improve performance, you can also encrypt data locally using the public key from Key Vault.
Here are the steps to encrypt data in Azure Key Vault:
- The frontend application sends data to the backend application.
- The backend application gets the public key from Azure Key Vault.
- The backend application uses the public key to encrypt the data.
- Store the encrypted data securely along with the id and version of the key.
Azure Key Vault also supports key rotation, which is an industry-standard practice for keeping your data safe. You can define a rotation policy per key, which automatically rotates keys after an expiration time.
Here are the benefits of using Azure Key Vault for encryption:
- Avoid cloud vendor encryption lock-in and ensure data mobility.
- Take secure advantage of Azure Key Vault with a centralized key management solution.
- Identify attacks faster with data access logging to industry-leading SIEM applications.
- Reduce or eliminate risks arising from compromised credentials with advanced encryption.
- Architect applications for the cloud with built-in security using vaultless tokenization with dynamic data masking.
Azure KMS Security and Safety
Rotating cryptographic keys is an industry-standard in Azure Key Vault, which helps keep your data safe by automatically creating a new version of the key after a specified expiration time.
Key rotation is essential because it prevents deleted key versions from being used for decryption, which could leave encrypted data inaccessible.
Azure Key Vault sends messages to Eventgrid when a key is rotated, allowing clients to subscribe to these messages and take action to re-encrypt data with the latest key version.
Data Safety
Key rotation is an industry-standard practice that helps keep your data safe. It involves automatically rotating cryptographic keys after an expiration time, creating a new version of the key and keeping the old versions available.
This is important because a client of a rotated key could have encrypted data with a specific key version. If that version is deleted, there is no way of decrypting that data. Preferably, clients of a rotated key re-encrypt the data with the latest key version.
Azure Key Vault sends messages to Eventgrid when a key is rotated, allowing clients to subscribe to these messages and take action.
To encrypt data, Azure Key Vault uses RSA keys for asymmetric encryption. A client can encrypt data locally using the public key from Key Vault, but the private key must be used to decrypt the data, and that doesn't leave Azure.
Here's a step-by-step process on how to encrypt data using Azure Key Vault:
- The frontend application sends data to the backend application.
- The backend application gets the public key from Azure Key Vault.
- The backend application uses the public key to encrypt the data.
- Store the encrypted data securely along with the id and version of the key.
Validated
Azure KMS provider is running in your cluster, and the encryption configuration is setup, it will encrypt the data in etcd. Let's verify that is working.
Thales solutions are validated for use with Microsoft Azure Stack HCI/Hub. This includes CipherTrust Cloud Key Manager, CipherTrust Manager, CipherTrust Transparent Encryption, and CipherTrust Vaultless Tokenization.
To verify that data is encrypted, you can create a new secret using kubectl and then check that the stored secret is prefixed with k8s:enc:kms:v1:azurekmsprovider when KMSv1 is used for encryption.
You can also verify the secret is decrypted correctly when retrieved via the Kubernetes API. The output should match mykey: bXlkYXRh, which is the encoded data of mydata.
Here are some Thales solutions validated for use with Microsoft Azure Stack HCI/Hub:
- CipherTrust Cloud Key Manager
- CipherTrust Manager
- CipherTrust Transparent Encryption
- CiperTrust Vaultless Tokenization
Sources
- https://learn.microsoft.com/en-us/azure/security/fundamentals/key-management
- https://www.patrickvankleef.com/2023/01/18/securely-store-secrets-with-sops-and-keyvault
- https://cpl.thalesgroup.com/encryption/microsoft-azure
- https://github.com/Azure/kubernetes-kms
- https://faultbucket.ca/2021/06/azure-kms-and-nsgs/
Featured Images: pexels.com