5.3 Azure Key Vault

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

18 hours 43 minutes
Video Transcription
Welcome back. In this episode, we're gonna take a look at Azure Key vote.
Our objectives include understanding what azure key vault is and then taking a look at what we can do with it in a demo.
So first, what is azure key vault as your keep old is exactly like it sounds. It's a secure storage area for secrets, encryption keys, certificates, passwords or a P I keys.
Secrets stored in the vault are protected by either software or hardware security modules or H s EMS and our certified to Phipps 1 40 dash to Level two standards.
Bye centrally storing all the important and confidential pieces of information you can control how and when they're distributed. For example, developers no longer need to store credentials or security information inside the application, something like a database connection string.
Instead, the application can access the connection string from the Ki Volt, using your eyes.
Accessing the key vault requires completing authentication and authorization before the user or application can get access. Authentication has performed through Azure Active Directory with either an R back group or key vault policy.
Our back is used for management of the key vault, while cable access policies are used to access data inside the vault.
Azure Key Paul has a couple of key features we need to cover. First is monitor. You can monitor how and when keys and secrets are being accessed. You can enable logging in the key vault and then archive the logs to a storage account, stream it to an event hub. Orson. The logs to azure monitor
azure Kibo also has built in scalability so it can scale up to meet any usage spikes inside your organization.
The key ball also has replication, where you can replicate the data inside of it within the region and also to a secondary region for high availability and automatic fail over azure. Key bowl also allows for segregating applications secrets. You can create a ki volt per application and then restrict the secrets in the vault to specific applications or people.
As your ki Volt currently has two pricing tiers, they are standard and premium building Inside of standard and premium are build exact same way they're built per transaction or certificate operation. Primary differences premium enables you to use HSM protected keys,
whereas standard on Lee used software protected keys.
Let's jump out to the azure portal and take a look at creating an azure key vault, storing a secret in it and then retrieving that secret
back in the azure portal. Let's click on Create a Resource Search for Key Vault.
We'll choose a resource group.
I'll choose the existing identity Dash R G.
We'll give the key Volta name
will select a region gonna select East us.
And since I won't need HSM encryption, I'm just gonna select the standard pricing tier.
Let's go ahead and review and create
and create our key vault.
Let's go check out our resource.
One thing I didn't mention during the creation of the Ki Volt is the name we give. It has to be globally unique, much like we've ran into with our storage accounts or as Europe Service's
you could see her. D. N s name here has a suffix of dot vault dot azure dot net.
This is so applications have a your eye to make request against in order to retrieve stored keys and the key vault
under settings. Let's go down to secrets.
Let's go ahead and generate a new secret.
We're just going to choose a manual upload option.
We'll give our secret and name.
We'll give it a value.
And we also have options of setting activation dates or expiration dates. Or we could create the secret but not enable it right away. Let's go ahead and leave it at enabled.
Let's go and create our secret.
Now that we have our secrets stored in our ki Volt going to jump over to our azure cloud show, I'm going to see if I can retrieve it using power shell.
Here we are in the azure cloud shell and I'm going to use power shell to retrieve our secret that is stored in our azure revolt. Going to use the git ese Keeve old secret going to specify our vault name.
And he did specify the name of the secret that I want to extract.
And I'm going to get the secret value text.
There we have it. I just pulled back the secret that was stored in our key vault
so you could see here. This allows you to programmatically retrieve secrets from the key vault without actually storing it inside of your content.
For example, I might need this password inside of a script, so instead of storing the password inside the script, I could make this call out to the Ki Volt, save the password to variable and then use it inside script.
There's lots of other things that can be stored. This is just a small example of what you can use for the azure key fall. Let's jump back to the slides and wrap this up.
Coming up next, we're gonna take a look at data encryption and confidential compute. See you in the next episode.
Up Next