Public facing websites are attacked nearly every day. Mostly, these attacks are by infected computer systems whose owners are completely oblivious to the situation. The infected computer systems autonomously scan the internet for unpatched systems. When found, they quickly join the ranks of the infected. Besides being compromised, some of the creators of these malicious applications can use them to gain access to the computers data and from there, they can steal passwords, encryption keys, and other valuable information.
Every few months we hear about another major data breach like Yahoo, Equifax, Uber, and literally 100’s of other systems whose data has been stolen. All too often it comes down to poor security practices.
There are several techniques for protecting data, but one method stands out above the rest. The Azure Key Vault, when configured correctly, provides a high level of security and by it’s very nature projects a great security posture. By removing sensitive information from the configuration files of applications and placing that information within the Azure Key Vault you remove the necessary information that would allow a limited breach from growing into the next big data breach.
You’ll need an Azure subscription to access the Azure Portal where you can setup your very own Key Vault. There are two options in the Key Vault of importance: Keys and Secrets. Keys are used for cryptographic encryption while Secrets are used to store information such as usernames, passwords, or other sensitive information.
Preparing the Azure Key Vault Environment:
- Create an Azure Application from the Azure Active Directory section of the Azure Portal. You’ll need to record the Application ID and name of the new AAD Application. This will be needed to access the Vault using the Azure Key Vault SDK and to grant permissions to the vault.
- Not to be confused with Keys from the Key Vault, you’ll need to add a Key to the AAD Application which is essentially the setting a user password to the AAD Application. It is not recommended to use a password because that means you’ll need to place the password within the applications configuration which is basically placing the keys to the kingdom within the configuration.
- Instead, upload the public key of an X509 Certificate to the Azure Application. Once uploaded, record the thumbprint of the certificate. The thumbprint is like a serial number and will be used to find the certificate. Install the certificate on the computer where the application will run.
- Grant certificate permissions to the user account that will be running the application. This is done in the Windows Certificate Manager. Since Windows Server 2008, you must explicitly grant permission to the private key which provides a higher-level of certificate security. Even if the computer is compromised, it is unlikely anyone would be able to access the certificate’s private key.
- It’s recommended that the application run under a service account or use IIS’s Impersonation. This reduces the chances that a compromised computer can be used to access the certificate. Never run the application under the currently logged in user and never grant permissions to the user account that is used to maintain the machine. This will reduce the chances of a hacker being able to elevate permissions.
- Create the vault and add your secrets.
- The last step within the Azure Portal is to grant permission from within Key Vault to the AAD Application.
- Install the Azure Key Vault NuGet Package within your application and you’re ready to start coding.
Additional Recommended Learning:
- Programmatically accessing certificates
- Authenticating with Azure Active Directory
- Using the Key Vault Client
See the GitHub repository below for a complete example application written in ASP.NET Core 2.1 that demonstrates authenticating with AAD, accessing certificates, and querying Key Vault.