AcloudA

[Azure] Discovering of KeyVault

Posted by Florent Appointaire on October 21, 2019


KeyVault

For some months now, Microsoft has deployed on the Azure platform, Key Vault. This solution gives you the possibility to store, directly on Azure, your passwords, certificates, etc. and to generate/call them through API. Resources can be accessed from Azure Automation, Azure AD and from your custom applications.

You can find the full documentation here: https://docs.microsoft.com/en-us/azure/key-vault/

Regarding the cost, it depends of your use. All details are available here: https://azure.microsoft.com/en-us/pricing/details/key-vault/

Create your first vault

To create your vault, navigate to the marketplace and search Key Vault. Create a new one:

It’ll take a few seconds to deploy the vault. When it’s finished, you should have this:

Deploy the vault

Secrets in Key Vault

Start by using the Secrets part who give you the possibility to store certificates, but password too. To store a new password, go to Secrets > Add and choose as upload options, Manual. Provide a name (space is not allowed) and value of this password. You can provide an activation date and when this password will expire:

Secrets in Key Vault

Do the same for the password with extension PFX and provide the password to use this certificate. If the password is not correct, you’ll have an error message:

Provide the password

And with the good password:

Create the secrets

Your 2 resources are now deployed:

list of secrets

If you want to see what is inside services that you created, just go to the service and click on Show secret value and the value will be displayed:

Show secret value

You can have a history of all versions:

A history of all versions

Keys in Key Vault

For the Key part, you can create a key that will give you the possibility to:

  • Encrypt
  • Sign
  • Wrap Key
  • Decrypt
  • Verify
  • Unwrap Key

When this key is generated, it will give you the possibility to do the previous operations, by using his Key identifier:

Key identifier

You can use this key from applications, with API calls, or with PowerShell for example.

You can back up these keys, directly from the Azure portal:

Back up the keys

This key can be restored from the Azure portal.

Permissions

Because some passwords can be critical, you can give them to anybody It’s why you can manage permissions. Click on Add new on Access policies tab:

Permissions

Select a user to apply for permissions. Be careful, you will give the authorization to all the section and no to one Keys or Secrets that you choose. My user will have only access to Keys:

Select a user to apply for permissions

Click on Save and connect to the Azure portal, with the user where you added permissions. Be careful to give Read permissions on the resource group where the Key vault is deployed, otherwise, the user will not be able to see the vault.

Open the Key vault. You will normally have access only to the Keys part, in Read/Write:

Keys part

It’s the case. Because I don’t have necessary permissions for the Secrets part, I’ve the following error message:

Error message

And, I’ve a Read access on policies:

Read access

Conclusion

To conclude, this service is here to concurrence software like KeyPass, 1Password, etc. but with more functionalities. In fact, you can call a password from your PowerShell scripts that are stored in the KeyVault and in your applications too. This is very useful to update regularly your password in your enterprise (for security reasons) and without modifying code and so on every time. And the possibility to manage authorizations is a big plus. The price of the service is very low, so why deprive yourself?

Views All Time
1
Views Today
1
Return to all posts

[Azure] Protect your Azure WebApp with Let’s Encrypt
Deploying Ubuntu VM in Azure with Remote Desktop Access