This is a presentation I held at a local Azure user group. The session abstract: Azure Key Vault is a tool for securely storing and accessing secrets. We will go through a popular Azure PaaS Architecture pattern using Key Vault to store a password. I will demo and walk through the general configuration of a dedicated Azure Function app, Azure SQL and Key Vault that was deployed with automation. I will then go through fairly advanced techniques and best practices on how to deploy Azure Key Vault and a password secret with ARM templates. Finally, a very brief look at my Azure DevOps Pipeline to deploy the ARM template. You will come away with an understanding of an applied use case of leveraging Azure Key vault for a PaaS solution in better managing a password secret.
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
1. Azure Key Vault and
Automated Deployment
Toronto Azure Group
June 11, 2019
Roy Kim
@RoyKimYYZ
roy@roykim.ca
2. Agenda
By: Roy Kim roykim.ca
1. Azure Key Vault Overview
2. PaaS Architecture Pattern with Key Vault
3. ARM Template Techniques
4. Azure DevOps Pipeline
3. Bio
Roy Kim
16+ Years of Microsoft Technology Solutions
Azure, SharePoint, Office 365
Microsoft MVP
Independent/Freelance IT Consultant
Blog: www.roykim.ca
github.comroykimyyz
University of Toronto – Computer Science
Author: Roy Kim
By: Roy Kim
4. Dev/UAT/Prod EnvironmentDev/UAT/Prod EnvironmentDev/UAT/Prod Environment
Physical Server
Grass Roots Development Story
By: Roy Kim
Password
Config File
Database
Configuration
Settings
SSL Certificate
pfx
Web App
Server
File server
Source Control
Application Code
Developers
IT Ops
How to isolate storage of the secret or certificate from code
and source control?
How to isolate role based access to the secret or certificate?
How to integrate the access and use of keys from the
application or CI/CD pipelines?
How to audit and view history of the access?
How to consolidate/centralize/streamline management?
How to automate deployment for reusable architecture
patterns or models?
Dev env
UAT/Prod env
Enterprise Architect
Info Security Architect
Deploy
Dev
UAT
Prod
Stored Stored
Once upon a time ..
there was an app development team …
5. Key Vault
By: Roy Kim
Secrets Management - Securely store and tightly control access to tokens, passwords,
certificates, API keys, and other secrets
Key Management - easy to create and control the encryption keys used to encrypt your data.
Certificate Management - easily provision, manage, and deploy public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal
connected resources.
Store secrets backed by Hardware Security Modules - The secrets and keys can be protected
either by software or FIPS 140-2 Level 2 validates HSMs
A hardware security module is a physical computing device that safeguards and manages
digital keys for strong authentication and provides cryptoprocessing. These modules
traditionally come in the form of a plug-in card or an external device that attaches directly to
a computer or network server. - Wikipedia
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
6. Key Vault
By: Roy Kim
Centralize application secrets
Securely store secrets and keys
Monitor access and use
Simplified administration of application secrets
Integrate with other Azure services
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-overview
7. Azure Key Vault & PaaS Architecture Pattern
By: Roy Kim
ARM Template
9. Key Vault Secrets
By: Roy Kim
Store and manage tokens, passwords, certificates (e.g. pfx), API keys, and other
secrets
Secret Value
Secret Name: LOBWebAppSecret
10. Key Vault Secrets – Use Cases
By: Roy Kim
Database connection string password
Passwords or any other secret string in an application configuration
file.
E.g. Twitter, Google Maps API Key
Azure storage account keys
Leveraging the Azure SDK in your application code or scripts to access
key vault
11. Key Vault Certificates
By: Roy Kim
Provision, manage, and deploy public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with
Azure and your internal connected resources.
12. Key Vault Key
By: Roy Kim
Cryptographic operations may be performed using the key:
Sign and Verify: Strictly, this operation is "sign hash" or "verify hash", as Key Vault doesn't
support hashing of content as part of signature creation. Applications should hash the data to be
signed locally, then request that Key Vault sign the hash. Verification of signed hashes is
supported as a convenience operation for applications that may not have access to [public] key
material.
https://en.wikipedia.org/wiki/Digital_signature
13. Key Vault Key
By: Roy Kim
Key Encryption / Wrapping: A key stored in Key Vault may be used to protect another key, typically
a symmetric content encryption key (CEK).
When the key in Key Vault is asymmetric, key encryption is used.
For example, RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to u/DECRYPT.
When the key in Key Vault is symmetric, key wrapping is used. For example, AES-KW. The WRAPKEY
operation is supported as a convenience for applications that may not have access to [public] key
material.
Encrypt and Decrypt: A key stored in Key Vault may be used to encrypt or decrypt a single block of
data. The size of the block is determined by the key type and selected encryption algorithm. The
Encrypt operation is provided for convenience, for applications that may not have access to [public]
key material. For best application performance, encrypt operations should be performed locally.
15. Key Vault Key - Use Cases
By: Roy Kim
For storage accounts encryption, user your own key
16. Key Vault Key - Use Cases
By: Roy Kim
TDE with customer-managed keys in Azure Key Vault allows to encrypt the
Database Encryption Key (DEK) with a customer-managed asymmetric key called
TDE Protector. Aka BYOK – “bring your own key”
In the BYOK scenario, the TDE Protector is stored in a customer-owned and
managed Azure Key Vault, Azure’s cloud-based external key management system.
17. Key Vault Access Policies
By: Roy Kim
Key Vault access policies grant permissions separately to keys, secrets, or certificate.
For Resource Manager to access the secrets inside this Key Vault from deployment,
set enabledForTemplateDeployment must be true.
Access Policies
18. What are ARM Templates
Author: Roy Kim
By: Roy Kim
Infrastructure-as-code
A JavaScript Object Notation (JSON) file that defines one or more resources to deploy to a resource group
or subscription. The template can be used to deploy the resources consistently and repeatedly
Azure Resource Manager
deployment and management service for Azure.
provides a consistent management layer that enables you to create, update, and delete resources in your
Azure subscription.
19. Why ARM Templates?
Author: Roy Kim
By: Roy Kim
Preferred deployment method for Azure resources
Fast - Parallel deployment of resources
Audit deployment operations
Idempotent - to apply one or more operations against a
resource resulting in the same outcome.
Cloud consistency across Azure, Azure Stack, Azure Gov
20. Some Benefits
By: Roy Kim
Resource Manager provides several benefits:
deploy, manage, and monitor all the resources for your solution as a group,
rather than handling these resources individually.
repeatedly deploy your solution throughout the development lifecycle and
have confidence your resources are deployed in a consistent state.
manage your infrastructure through declarative templates rather than scripts.
define the dependencies between resources so they're deployed in the correct
order.
apply access control to all services in your resource group because Role-Based
Access Control (RBAC) is natively integrated into the management platform.
apply tags to resources to logically organize all the resources in your
subscription.
clarify your organization's billing by viewing costs for a group of resources
sharing the same tag.
21. The ARM Template Design
By: roy@roykim.ca
keyvault.json
AppServicePlan.json
Main Template:
azuredeploy-app-main.json
Parameters
sqlserver.json
website.json
Credits: Some Icon made by SmashIcons from www.flaticon.com
29. Azure DevOps Pipeline
By: Roy Kim
1. Get ARM Templates from public git repo
2. Deploy ARM Templates into Azure resource group.
ARM template deploys app code from another GitHub repo
3. Build SQL project and Deploy DACPAC
32. Azure DevOps Build Pipeline – SQL DB
By: Roy Kim
YAML Build Pipeline
Build SQL project
Deploy DACPAC file for creating tables and populating data
33. Azure DevOps Pipeline
By: Roy Kim
Trigger an Azure DevOps Pipeline that is the existing Build pipeline for SQL Deployment
34. ARM Template Challenges
By: roy@roykim.ca
• Heavy learning curve
• Very syntax oriented. Need to find the exact JSON syntax ARM template
operations and functions to achieve the functional objective. Need to look
at many examples and reverse engineer or piece together techniques.
• Microsoft Azure Documentation always shows Azure PowerShell and CLI
examples of deploying and configuring resources, but very little reference
to ARM template.
35. Future considerations for this demo solution
Author: Roy Kim
By: Roy Kim
Better group management
- Group related resources types into its own Resource Group and deploy accordingly
Better Security
- Leverage managed identity where possible
- Deploy ARM templates into Azure storage accounts with secured SAS token instead of a public
GitHub repo
- Investigate SSL cert auto renewal process
Include App Monitoring
- Create an ARM template to provision Application Insights for the application
37. Q & A
By: Roy Kim
• @RoyKimYYZ
• roy@roykim.ca
www.roykim.ca
github.comRoyKimYYZ
Editor's Notes
A .pfx includes both the public and private key for the associated certificate (NEVER share this outside your organization); it can be used for TLS/SSL on web site, for digitally signing messages or authorization tokens, or for authenticating to a partner system. A .cer file only has the public key (this is what you typically exchange with integration partners); it can be used to verify tokens or client authentication requests, and it is what is received by an HTTP client from a server in the SSL handshake.
To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true.
To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true.
SQL
Allow Access to Azure ServicesTo allow applications from Azure to connect to your Azure SQL server, Azure connections must be enabled. When an application from Azure attempts to connect to your database server, the firewall verifies that Azure connections are allowed. A firewall setting with starting and ending address equal to 0.0.0.0 indicates Azure connections are allowed.
This option configures the firewall to allow all connections from Azure including connections from the subscriptions of other customers. When selecting this option, make sure your login and user permissions limit access to only authorized users.
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-firewall-configure
Key Vault
To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true.
https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates#key-vault-keys
https://crypto.stackexchange.com/questions/64184/how-much-extra-security-does-key-wrapping-provide
So why is encryption or wrapping useful? Well, not all keys have the same properties. Some keys such as public key for asymmetric systems can be distributed using a public key infrastructure, but they can perfectly use to wrap AES keys to perform key establishment. Other keys are distributed in advance, taking advantage of the moment in time that the key can be established. Yet others take advantage of hardware protection in HSMs or smart cards. So key wrapping is an important tool to perform key management. Note that one wrapping key can be used to wrap many other keys.
As for your examples: yes, a key can be transported over TLS. However, TLS is point to point transport security. After TLS is stripped you'd just have the key. It is much more secure to wrap the key and provide end-to-end security. With a bit of luck the key may be unwrapped directly within a HSM and never even appear in memory. Note that earlier forms of TLS, the TLS_RSA ciphersuites, actually perform a form of key wrapping to establish the master secret to derive the session keys from.
To access the secrets inside this Key Vault from Resource Manager deployment, enabledForTemplateDeployment must be true.
Trusted Microsoft services include:Azure Virtual Machines deployment serviceAzure Resource Manager template deployment serviceAzure Disk Encryption volume encryption serviceAzure BackupExchange OnlineSharePoint OnlineAzure Information ProtectionAzure App Service: Web AppsAzure SQLAzure StorageAzure Data Lake StorageAzure DatabricksAzure Machine Learning Service