Azure Key Vault – Step by Step

Azure Key Vault is an Azure packaged service allowing you to encrypt keys and small secrets (e.g. passwords, SAS) and manage them in a secure fashion.  Azure Key Vault actually allows you to store cryptographic keys and do operations with them (e.g. encrypt data) without revealing the key, which is pretty cool.  Check it out.

A typical problem with those new services is the lack of documentation.  Well, no more for the Key Vault, thanks to Dan Plastina step by step guide on Key vault.  It’s succinct, straight to the point and well written.

The guide’s backbone is the vault’s lifecycle:

8875.KeyVaultLifecycle3[1]Now this basically allows you to go to town with the vault.  It’s a very clean workflow that enables many scenarios.

The typical ones I would see are:

This is so much cleaner than what I see today in the field where SAS are created, put in web.config, forgotten there until they expire and shared between developers who troubleshoot problems in production, etc.  .  Because of the work involved trying to cycle the SAS, those SAS are usually created with multi-years validity, so if they get compromised, well, you get the picture.

The nice thing here is that the vault is doing more than protecting secrets:  it allows you to manage them centrally.  For me that is half the value.  Especially if you have an application park bigger than 2 apps sharing some secrets.  It gives you a visibility of which secrets are used by whom and allows you to manage them.  You do not need to have SAS that last for 5 years anymore since you can cycle them centrally.

One response

  1. Ana 2015-12-28 at 21:28

    Is it possible to use Azure Key Vault to keep account passwords. I tried, but unable to retrieve the password using Get-azurekeyvaultsecret. Is there a way to retrieve the secret without using uri in application?

Leave a comment