Stop storing passwords in documents or code and use Azure Key Vaults already!
We’ve all done it at some point. Open up web.config (or one of its transformation files) and there it is in plain text… the server address, username, and password. There as clear as day, and for the production server too!
Azure Key Vaults (AKV) was created to remedy this all-too-common problem. It allows the safe and secure storage of 3 types of things for developers:
- Keys — typically used for things like signing or encryption.
- Secrets — useful for storing key-value pairs such as key and password.
- Certificates — x509 certificates. In the past I would store these in DropBox.
Secrets
To save our passwords securely, we’ll create a new Secret.
Select ‘Manual’ for the upload option. Type in a Name for the key and type the value which will be obscured for now. Don’t worry, we’ll be able to see the actual value later whenever we need.
Now when we need to retrieve the value later we can click on the secret:
Click the ‘Show secret value’ button and it will show the value in clear text.
Microsoft recommends that you take extra security measures and encrypt any value externally before saving it as a secret but your needs may vary.
AKV lets you control who has access at the vault level. Permissions are managed the same way as any other Azure resource, using Access Policies.
What does this get you?
What I’ve presented so far is a good substitute for a password manager like LastPass but how do you apply this to an actual Azure website?
Access AKV from code. Of course, this requires you to store a ClientId and ClientSecret in web.config or app settings as well.
Alternatively, I’ve also used App Settings for a website to store environment-specific passwords. It’s the same as storing it in web.config except it isn’t checked into source control and the only people that can see it are those that have access to the resource.
A downside is the website could easily get deleted when not in use and you’ve lost the password forever. That’s why storing it in AKV is so crucial. It’s centralized, secure password management that costs pretty much nothing.
TLDR;
Create a vault in Azure Key Vaults, then use Secrets to store passwords and use Certificates to store SSL certs. Manage access using policies.
