Functionality and Usage of Key Vault - AZ-900 Certification Course

John Savill's Technical Training

2 Jan 202207:37

Summary

TLDRThis lesson delves into Azure Key Vault, a secure service for managing application secrets, keys, and certificates. It emphasizes the importance of not hardcoding sensitive information in application code. The service supports three entities: secrets, keys for cryptographic operations, and certificates for lifecycle management and distribution. Azure Key Vault offers two authorization methods: traditional access policies and more granular role-based access control (RBAC). Managed identities are highlighted as a solution for authentication challenges, allowing apps to access Key Vault with built-in permissions. The video also mentions Key Vault's integration with Azure services for encryption.

Takeaways

🔑 Azure Key Vault is a service designed to securely store and manage secrets, keys, and certificates for applications.
📜 Secrets in Key Vault can be read and written, making them suitable for storing passwords or shared access signatures.
🗝️ Keys within Key Vault support cryptographic operations and can be generated or imported but cannot be exported.
📄 Certificates in Key Vault focus on lifecycle management and distribution, ensuring secure and efficient handling.
🛡️ High-security needs can be met by running Key Vault on top of HSMs (Hardware Security Modules) for enhanced protection.
🔑 Access to Key Vault is controlled through authentication and authorization, with two types: access policies and role-based access control (RBAC).
👤 Access policies provide permissions for users but lack granularity, applying to all entities of a certain type within the vault.
📋 RBAC offers granular permissions, allowing different users to have access to specific secrets, keys, or certificates with various actions.
👥 Role assignments can be made at the Key Vault level or at the individual entity level, providing precise control over access.
🐔 Managed identities in Azure can be used to authenticate applications to Key Vault without storing passwords within the vault.
🔄 Azure Key Vault is integrated with other Azure services, allowing for 'Bring Your Own Key' scenarios for encryption and enhanced security.

Q & A

What is Azure Key Vault and what is its primary purpose?
-Azure Key Vault is a cloud service designed to securely store and manage cryptographic keys, secrets, and certificates. Its primary purpose is to provide a secure way to store sensitive information such as passwords, tokens, and database connection strings, without hard-coding them into application code.
Why is it not secure to put secrets directly into application code?
-Putting secrets directly into application code is insecure because it increases the risk of accidental exposure or leaks. If the code is shared, accessed, or compromised, the secrets could be discovered by unauthorized parties.
What are the three types of entities supported by Azure Key Vault?
-The three types of entities supported by Azure Key Vault are secrets, keys, and certificates. Secrets are readable and writable pieces of data like passwords or tokens. Keys are cryptographic keys that can be generated or imported and used within the vault but cannot be exported. Certificates are managed for lifecycle and distribution purposes.
What is the difference between a secret and a key in Azure Key Vault?
-A secret in Azure Key Vault is a piece of data that can be both read and written, such as a password or a shared access signature. A key, on the other hand, is used for cryptographic operations and can be generated or imported into the vault but cannot be exported or taken out of the vault.
How does Azure Key Vault handle the lifecycle management of certificates?
-Azure Key Vault provides lifecycle management for certificates, which includes issuing, renewing, and revoking certificates. It also handles the distribution of certificates to ensure they are accessible to the services that require them.
What is the role of Hardware Security Modules (HSMs) in Azure Key Vault?
-Hardware Security Modules (HSMs) are physical devices designed for the secure storage and management of sensitive data. In Azure Key Vault, HSMs can be used to enhance the security of storing and managing secrets, keys, and certificates.
What are the two types of authorization methods available in Azure Key Vault?
-The two types of authorization methods available in Azure Key Vault are access policies and role-based access control (RBAC). Access policies provide permissions at a more general level for all entities of a certain type within the vault. Role-based access control allows for more granular permissions, enabling different access levels for different entities within the same vault.
Why is role-based access control (RBAC) generally preferred over access policies in Azure Key Vault?
-Role-based access control (RBAC) is generally preferred over access policies because it offers more granular permissions. With RBAC, different users or services can be given access to specific secrets, keys, or certificates within the same vault, providing a more flexible and secure access management system.
What is a Managed Identity in the context of Azure services?
-A Managed Identity in Azure is an identity for an Azure service that is automatically managed by Azure. It provides a way for applications running in Azure to authenticate to other Azure services without the need for explicit credentials.
How can Managed Identity be used with Azure Key Vault?
-Managed Identity can be used with Azure Key Vault by assigning the identity permissions to access specific secrets, keys, or certificates within the vault. This allows applications to authenticate using their built-in managed identity and access the resources they have been granted permissions to.
How does Azure Key Vault integrate with other Azure services for encryption purposes?
-Azure Key Vault integrates with other Azure services for encryption by allowing users to 'bring your own key' (BYOK) for services like storage accounts or database encryption. The keys used for encryption are stored and managed within the user's Azure Key Vault, providing control over key rotation and revocation.