In this article, we will see:
- What is a Key Vault.
- How to create a Key Vault.
- How to manage a Key Vault (Create new Keys, Add Secrets, Manage access policies).
Key Vault
Azure Key Vault is a Microsoft’s Cloud security scheme, where you can securely put your Keys and Secrets. Key Vault uses a software (uses Azure VM) and hardware Security Modules (uses HSM).
Key: It is a cryptographic key. RSA 2048.
Secret: Any sequence of bytes under 25KB. Ex. Connection String.
Key Vault allows encryption of Keys, which provides an access to control the lifecycle of encryption Keys and provides single place access of the Application Keys.
Customers who use the Cloud for deploying their Applications are more concerned about the security. Azure key vault is a better option for them rather than putting Keys and Secrets in the Applications configuration file.
Azure Key Vault Life Cycle
In the figure, given below, you can see the developer has both Cloud app and Key Vault access.
Developer can authorize Cloud Application by configuring it with Key Vault URL to access Azure Key Vault at run time.
![Azure Key Vault Life Cycle]()
We can also assign a dedicated person to manage Key Vault. The developer only has an access to Cloud Application. The developer can use Key Vault URL, given by Key Vault manager to deploy the Application. Application can access Key Vault at the run time.
![Azure Key Vault Life Cycle]()
Now, we will see, how to create Key Vault, using Azure PowerShell.
Step 1. Open Azure PowerShell or Windows PowerShell ISE.
![Azure PowerShell]()
Step 2. Login to your Azure account.
![Azure account]()
You will get the screen, shown below, after successful login.
![login]()
Step 3. Create a resource group.
![Create a resource group]()
Step 4. Create a Key Vault. Vault name should be unique.
![Create Key Vault]()
You can see new Key Vault has been created with the name ‘AshishKeyVault’. You will need the Vault URL to access Key Vault through the Application.
Step 5. Set Access Policies.
- Provide an access to other users.
![Provide access]()
Permission to Keys has been changed to encrypt.
![encrypt]()
You can grant an access to other personnel with the same command.
- Provide access to Cloud Applications.
First, you need to be registered in Azure Active directory from azure portal.
Select the default directory.
![default directory]()
Select to develop the Application.
![develop application]()
Fill the required fields.
![Fill require fields]()
Sign in URL can be anything, but it should be unique.
![Sign On]()
Now, go to the Applications configuration section.
![applications configuration]()
Find out the Client Id and Keys. Note down the Client Id. It will be required, while setting the access policies for your Application.
![CLIENT ID]()
Again, go to the Azure PowerShell.
![Azure PowerShell]()
Now, you can see two Access Policy entries. One is mine and other one is my Cloud Application.
![two Access Policy entries]()
Step 6. Add Keys in Key Vault with the different Security Policies.
Depending on the environment, you need to select the security policy. For Production environment, use Hardware Security Modules (HSM) and for other, less sensitive data, you can use Software Security modules. Software Security Module is free, whereas HSM can available at very low cost. Out of 100 banks, 90 use HSM for the security.
- Set the Software Security
First set the permissions to the keys.
![Set Software Security]()
![Set Software Security]()
- Set Hardware Security.
Create new Resource group.
![Create new Resource group]()
Set to premium SKU vault.
![premium SKU vault]()
![premium SKU vault]()
Set HSM as a destination.
![Set HSM]()
![Set HSM]()
Now, we have created the Keys in Key Vaults.
Step 7. Create a secret to set the Secret values.
![Crete secret]()
The command is given to get the Secret values.
![Get Secret values]()
![Get Secret values]()
In this article, we have covered basic flow of the Key Vault life cycle. We have seen, how to create and manage Key Vault.