Azure fundamentals II : Azure Key Vault

Everybody has secrets, from humans to organizations. If you have private keys or passwords that means that you need to protect them.

You can save the secrets in USB Drive which is not really secure (It’s like you tell a secret to your (girl/boy)Friend then you break up). For larger organizations this is not tolerable. You need to use a kind of HSM (Hardware Security Module).

Azure makes a kind of HSM-as-a-service. Azure Key Vault is a service that enables you to store & manage keys and secrets (including Authentication Keys, Storage Account Keys, Certificates and passwords) in one secure vault.

Note : A key can be a private key for a certificate but a secret is a string you’d like to protect, such as a password or an access key for a storage.

Using Key Vault, you will benefit of:

• Availability : You’ll always find your secrets updated;
• Avoid mistakes : Since your secrets expire, you may make mistakes by updating them, especially when you have a lot of environments and secrets.
• Monitoring and log access.

You will also separate the way you manage secrets. Developers will no longer worry about secrets and keys management. The Key Vault may be important for continuous deployment. Developers can use ARM Templates to reference Key Vault without looking for credentials. You should grant the right permission to the user (which can be a service account) to perform the deployment. If you use the Key Vault, the service you develop will not have to handle secrets (BYOK).

Azure key Vault uses a software HSM or a hardware HSM (Thales HSM) depends on tier. The software one is billed as Standard but the hardware one is billed as Premium (Be sure to choose the right SKU) :

This was quick :D

Bella ciao,