Azure Key Vault – Step by Step


NOTE: This post was updated on Nov 12 2015 to incorporate breaking changes introduced in the Azure PowerShell 1.0 release.

Welcome!

In our introductory blog post we covered the overall Key Vault model. Today we’re going to dive into the specifics of using it. If you’ve not read the prior post, please do so before proceeding with this one. In the below Sumedh and Amit, PMs on the Key Vault Team, will offer a guided walk through with far more depth.

Thanks for your support!

Dan (twitter) on behalf of the Azure Key Vault Team

Here is the Azure page: http://azure.microsoft.com/services/key-vault

We value your input so please take a moment to follow usjoin our advisory boardsend us private feedback,and/or visit our forum

 

Hi, 

In this post we take you through how to create and manage a key vault. We start with the lifecycle of a key vault. Next, we illustrate it with a basic example with PowerShell. Finally we wrap up by showing how to use these building blocks to achieve the full scenario that Dan outlined in the previous post.

During this preview, the management interface for a key vault is Azure PowerShell. In this post, we will assume you have basic working knowledge of PowerShell. If you do not, you should still be able to follow the overall flow from the example below, even if not every detail.

Key Vault lifecycle

In the simplest case you create a key vault, and you are the only person doing all operations with the key vault. In other cases, there may be up to four sets of people and any number of applications performing different tasks on a key vault. We'll demonstrate here the four core roles that we've enabled: 

Key Vault lifecycle

 

1. Your usage of the Key Vault service begins with creating your own key vault. Do this using the cmdlet New-AzureRmKeyVault.

2. In all likelihood you created this key vault for one or more applications to use. You must register those applications in Azure Active Directory. You must also authorize them to use your vault. Do this using the cmdlet Set-AzureRmKeyVaultAccessPolicy.

Optional: To allow other users (say your team members) to add/remove keys to this key vault, authorize those users for those specific operations on your key vault. Do this also using the cmdlet Set-AzureRmKeyVaultAccessPolicy.

3. You, or the users you authorized, then add your secrets (e.g. passwords) and cryptographic keys to that key vault. Do this using the cmdlets Set-AzureKeyVaultSecret and Add-AzureKeyVaultKey respectively. For each secret or key that you add, you get a unique URI.

4. The application operator must configure applications to use the URI of your key vault (or of specific secrets or keys). The specific configuration steps are unique to each application; generally the application will provide you a place in their configuration to paste the URI of your key or secret.

5. Subsequently the application you authorized can use your key vault programmatically using the Key Vault REST API or Key Vault Client classes. The application can do the following:

  • It can read or write secrets into your key vault, if it is authorized for those operations.
  • It can use your keys by calling methods of the service such as decrypt or sign. The application cannot read (extract) your keys. This is because the Key Vault service performs the cryptographic operation on the application’s behalf.
  • The application may also add, remove, or update keys in your key vault, if authorized for those specific operations, but this is less common.

6. (Coming soon) You, the key vault owner, or a delegate such as an auditor, will be able to monitor operations performed on your keys and secrets by retrieving a usage log from the Key Vault service.

7. At any point, you or your delegate can update values of an existing keys or secret. Do this using the cmdlet Add-AzureKeyVaultKey with the existing key name, or Set-AzureKeyVaultKey with the existing secret name.

8. When you are done using your keys and secrets, delete them using the cmdlets Remove-AzureKeyVaultKey and Remove-AzureKeyVaultSecret respectively.

9. At any point, you can de-authorize (revoke) users and applications from accessing your key vault, or authorize other users and applications. Do this using the cmdlets Remove-AzureRmKeyVaultAccessPolicy and Set-AzureRmKeyVaultAccessPolicy.

10. When you are done using the key vault, delete the entire key vault using the cmdlet Remove-AzureRmKeyvault.

The next section walks you through an example of these steps with screenshots.

Step-by-step instructions

  • For step-by-step instructions to create your first key vault and authorize an application, see Getting Started with Key Vault.

  • Download sample applicationsFollow the instructions in README.md to configure these applications. You need Visual Studio 2012 or 2013 to compile these applications.

Example

This example shows a developer Derick at Trey Research creating a key vault, adding a key to that key vault, and running the sample application HelloKeyVault with that key vault. Derick is using the account his organization gave him (derick@treycorpusa.onmicrosoft.com) and he has a 30-day trial subscription to Azure, good enough to play with Azure.

Get an identity for the application

First things first — everybody who uses key vaults, whether users or applications, needs to be registered in Azure Active Directory (Azure AD). Derick’s user account is already in Azure AD. But his application is not. So he registers his instance of the HelloKeyVault sample application in his organization's (treycorpusa.onmicrosoft.com) Azure AD directory . The next few screenshots show the standard application registration workflow for Azure AD. None of these steps are unique to Azure Key Vault.

Derick signs in to the Azure management portal, and selects ACTIVE DIRECTORY on the left.

He sees his organization’s directory, “Trey Corporation”. He clicks it. In that directory, he clicks the APPLICATIONS tab.

This page normally shows him the applications he has previously registered. In this case he has none. He clicks the ADD icon at the bottom.

In the dialog that comes up, he enters a name for his application 'DerickHelloKeyVault' and chooses the type WEB APPLICATION. He clicks the arrow at the bottom to go to the next screen.

It asks him for a couple of URIs. The sign-on URI is relevant if the application has a sign-on page for users. This sample application does not have one, so we can enter any value there. In the App ID URI, Derick enters a URI that is unique within his organization. The corresponding site does not need to exist, the URI is just a label that uniquely identifies the application in the organization’s directory.

Now that the application is added, he goes to the CONFIGURE TAB.

He scrolls down to find the application’s CLIENT ID, also known as App ID. He notes this down.

 

He also creates a new client secret that will be used by the application as a credential to sign in to Azure AD. In the portal this secret is called ‘keys’ – this has no relation to key vaults! He chooses an expiry of one year, clicks SAVE at the bottom. He notes down the generated secret, highlighted in the screen below.

 

At this point he has an identity and a credential for his application.



Create and configure a key vault

Let’s get back to key vaults. During this preview, the management interface to Azure Key Vault is Azure PowerShell. Derick installs the latest Azure PowerShell (1.0.1 or higher). He signs in, using the cmdlet Login-AzureRmAccount.

PS C:\> Login-AzureRmAccount

Environment           : AzureCloud
Account               : Derick@TreyCorpUSA.onmicrosoft.com
TenantId              : 51c8149f-9cf0-4693-b38e-4e1b028d534c
SubscriptionId        : 50e645f3-0cfe-4f91-aea5-fb03fe0a1f40
CurrentStorageAccount :

PS C:\>

All Azure resources created via the Azure Resource Manager must be contained in resource groups. So Derick creates a new resource group called DerickDevRG to house the key vault he is going to create next.

PS C:\> New-AzureRmResourceGroup -Name DerickDevRG -Location 'West Europe'

ResourceGroupName : DerickDevRG
Location          : westeurope
ProvisioningState : Succeeded
Tags              :
ResourceId        : /subscriptions/50e645f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/DerickDevRG


PS C:\>

Now he creates a new key vault called DerickKeyVault in West Europe. The “accessPolicies” section of the output shows the permissions. By default, Derick has permissions to create keys, delete keys, list keys, update keys, backup keys, restore keys, and get the public half of keys in this key vault. He also has permissions to do anything with secrets in this key vault.

PS C:\> New-AzureRmKeyVault -VaultName DerickKeyVault -ResourceGroupName DerickDevRG -Location 'West Europe'
 

Vault Name                       : DerickKeyVault
Resource Group Name              : DerickDevRG
Location                         : West Europe
Resource ID                      : /subscriptions/50e645f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/DerickDevRG/provi
                                   ders/Microsoft.KeyVault/vaults/DerickKeyVault
Vault URI                        : https://DerickKeyVault.vault.azure.net
Tenant ID                        : 51c8149f-9cf0-4693-b38e-4e1b028d534c
SKU                              : Standard
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Access Policies                  :
                                   Tenant ID                :    51c8149f-9cf0-4693-b38e-4e1b028d534c
                                   Object ID                :    d185ba80-22d4-44e4-b8db-465e2fe75c9e
                                   Application ID           :
                                   Display Name             :    Derick Devereux (Derick@TreyCorpUSA.onmicrosoft.com)
                                   Permissions to Keys      :    get, create, delete, list, update, import, backup,
                                   restore
                                   Permissions to Secrets   :    all

Tags                             :


PS C:\>

Derick can authorize other users and applications. In this case he has created the key vault for himself, so he does not need to authorize any other users. He does need to authorize the instance of the HelloKeyVault application that he just registered in Azure AD. He does this as shown next. In the ServicePrincipalName parameter, he passes in the CLIENT ID that he noted down when registering the application in Azure AD. He grants this application permission to encrypt, decrypt, wrap, and unwrap with keys in the key vault. The Set-AzureRmKeyVaultAccessPolicy cmdlet runs silently (no output) if it runs successfully. Derick runs the 'Get-AzureRmKeyVault' command to confirm permissions.

PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'DerickKeyVault' -ServicePrincipalName 'fde2b411-33d5-4e11-af04-eb07b669ccf2' -PermissionsToSecrets get -PermissionsToKeys wrapKey,unwrapKey,decrypt,encrypt
PS C:\> Get-AzureRmKeyVault -VaultName 'DerickKeyVault'

Vault Name                       : DerickKeyVault
Resource Group Name              : DerickDevRG
Location                         : West Europe
Resource ID                      : /subscriptions/50e645f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/DerickDevRG/provi
                                   ders/Microsoft.KeyVault/vaults/DerickKeyVault
Vault URI                        : https://derickkeyvault.vault.azure.net/
Tenant ID                        : 51c8149f-9cf0-4693-b38e-4e1b028d534c
SKU                              : Standard
Enabled For Deployment?          : False
Enabled For Template Deployment? : False
Enabled For Disk Encryption?     : False
Access Policies                  :
                                   Tenant ID                :    51c8149f-9cf0-4693-b38e-4e1b028d534c
                                   Object ID                :    d185ba80-22d4-44e4-b8db-465e2fe75c9e
                                   Application ID           :
                                   Display Name             :    Derick Devereux (Derick@TreyCorpUSA.onmicrosoft.com)
                                   Permissions to Keys      :    get, create, delete, list, update, import, backup,
                                   restore
                                   Permissions to Secrets   :    all

                                   Tenant ID                :    51c8149f-9cf0-4693-b38e-4e1b028d534c
                                   Object ID                :    766450f4-715f-4e24-8b5c-d78d77900e21
                                   Application ID           :
                                   Display Name             :    DerickHelloKeyVault (http://DerickHelloKeyVault)
                                   Permissions to Keys      :    wrapKey, unwrapKey, decrypt, encrypt
                                   Permissions to Secrets   :    get

Tags                             :

PS C:\>

Derick sees two sets of permissions. The first is for himself. The second is for his application, "DerickHelloKeyVault".

Finally, he adds a key. Since this is not a production deployment, he specifies a Destination of ‘Software’. This creates a software-protected key. Operations on software-protected keys happen on Azure VMs (as opposed to operations on HSM-protected keys, which happen on an HSM.)

PS C:\> Add-AzureKeyVaultKey -VaultName DerickKeyVault -Name DerickRSAKey1 -Destination Software

Attributes : Microsoft.Azure.Commands.KeyVault.Models.KeyAttributes
Key        : {"kid":"https://derickkeyvault.vault.azure.net/keys/DerickRSAKey1/f3ade24c46674c118b99f4b6ac0ab6a4","kty":
             "RSA","key_ops":["encrypt","decrypt","sign","verify","wrapKey","unwrapKey"],"n":"q1VAUkIeh60_zhUgMeJr3XCpg
             3uviNDccFnsEOpzgOQRrMZCxbArFG7g2sYwljp6r4cZ2X–Bj6e0UUMKdlahMiHt0W4Pkz28Zp3s37E5SxuYPTrTM87ixNQFECDgj7x-Ue
             EeTkAyXICaqFmI1pjLOTmqYCKkS0-3RG8oQcbv1Zcxdlima_yr4nLnDf2a-8aWEpxgVUYRBzIADKdSoToAEPqaz8daJmBL2_1YedwPsd_M
             BSFzRqfANdxPydKiQoSJ5-l7HvxVaQHsrgOO3OQiphRw4WKJhm1Vatws7xoUahBzHRVFNMMK84ce5fywdMB7Pu0Sgl0_VhxhQ2n2Gt8DQ"
             ,"e":"AQAB"}
VaultName  : derickkeyvault
Name       : DerickRSAKey1
Version    : f3ade24c46674c118b99f4b6ac0ab6a4
Id         : https://derickkeyvault.vault.azure.net:443/keys/DerickRSAKey1/f3ade24c46674c118b99f4b6ac0ab6a4

PS C:\>

Configure and run application

He downloads the Hello Key Vault sample application. In the app.config file he adds the URI of his key vault, and the CLIENT ID and secret that he noted down when he registered his application in Azure AD. He then compiles the application.

He runs the application. He specifies parameters ‘encrypt’ and ‘decrypt’. Doing this makes the Hello Key Vault execute only those operations against the vault. The application signs in to Azure AD, then uses that token to authenticate to Azure Key Vault.

The scenario from the first post

Now that you have seen the basic flow, let’s use the building blocks to stitch together the real-world business problem mentioned in the first post in this blog. In that scenario, Contoso discovered that their LOB application is not as secure as they thought. They decided to move all keys into a key vault, instead of being packaged with the application. Contoso outsources all development.

When the outsourced developers build and test the application, they follow exactly the steps shown above for Derick. They do this with subscriptions belonging to them. They register (the test instances of) their application in their own Azure AD tenant.

When the outsourced developers are done, Contoso’s IT department takes the application for a test drive. The difference is that Contoso’s IT now registers the application in Contoso’s Azure AD tenant. They also create a key vault in their own Azure subscription.

If this test drive succeeds, they decide to move the application to production. The difference in this step is:

  • To reduce exposure to keys, Contoso's CSO Cecil is the one who creates a key vault. He does this in a subscription reserved for that class of assets.
  • To meet his organization's compliance rules, Cecil creates an HSM-protected key. To do this he must created a Premium SKU key vault.

PS C:\> New-AzureRmResourceGroup -Name 'TreyPayrollRG' -Location 'West Europe'
VERBOSE: 09:36:59 AM – Created resource group 'DerickDevRG' in location 'westeurope'

ResourceGroupName : TreyPayrollRG
Location          : westeurope
ProvisioningState : Succeeded
Tags              :
Permissions       :
                    Actions NotActions
                    ======= ==========
                    *

ResourceId        : /subscriptions/50e64f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/TreyPayrollRG

PS C:\>PS C:\> New-AzureRmKeyVault -VaultName 'TreyPayrollVault' -ResourceGroupName 'TreyPayrollRG' -Location 'West Europe' -SKU Premium

Vault Name              : TreyPayrollVault
Resource Group Name     : TreyPayrollRG
Location                : West Europe
Resource ID             : /subscriptions/50e64f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroup
s/TreyPayrollRG/providers/Microsoft.KeyVault/vaults/TreyPayrollVault
Vault URI               : https://treypayrollvault.vault.azure.net
Tenant ID               : 51c8149f-9cf0-4693-b38e-4e1b028d534c
SKU                     : Standard
Enabled For Deployment? : False
Access Policies         :
                          Tenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534c
                          Object ID : 1869357a-74ae-46c4-92a5-c5c3c0ff824d
                          Display Name : Derick Developer (cecil@TreyCorpUSA.onmicrosoft.com)
                          Permissions to Keys : get, create, delete, list, update, import, backup, restore
                          Permissions to Secrets : all

Tags :

PS C:\>

 

He authorizes the app. To keep this example simple, we show him authorizing Derick's instance of the app. In reality Cecil will insist on a new deployment in a subscription that is tightly controlled.

Cecil also adds an HSM-protected key.

PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'TreyPayrollVault' -ServicePrincipalName 'fde2b411-33d5-4e11-af04-eb07b669ccf2' -PermissionsToSecrets get -PermissionsToKeys wrapKey,unwrapKey,decrypt,encrypt

PS C:\> Add-AzureKeyVaultKey -VaultName 'TreyPayrollVault' -Name 'TreyPayrollMasterKey' -Destination HSM

Attributes : Microsoft.Azure.Commands.KeyVault.Models.KeyAttributes
Key        : {"kid":"https://treypayrollvault.vault.azure.net/keys/TreyPayrollMasterKey/f5c600ff19744fbe910d99b86816e30
              2","kty":"RSA-HSM","key_ops":["encrypt","decrypt","sign","verify","wrapKey","unwrapKey"],"n":"oJwC4zTaLRM
              eNGhMDRxhBT6suzf6jyR4pC8FjmEUdTien49rUC4nDbvQzPZuMh94rV98sI0bmSjeA-7OD3INIfFZFkWMykpzRMyWOY8uEoCbnb7FPJ5J
              I_namH1mLX3LMRyGD_Spb7mvsn45lRKHztDr9wqcAq_MAyT43JUseLhkx5LyUO7roHIYBV5uO9dqOGOJHBwMIqVYrQjb_DgnPKB3tZeA1
              r288oOTbad0eMg0PPP2BfS2eKN1e7tVNyDqi8AMorAGheGuOOGXmijUHGIDYKuZ4MAuwtCn09rIOD9xzwwBS46cSmLzN8aTzmSnXZIkGV
              RY0iDTYvCtm5Z7NQ","e":"AAEAAQ"}
VaultName  : treypayrollvault
Name       : TreyPayrollMasterKey
Version    : f5c600ff19744fbe910d99b86816e302
Id         : https://treypayrollvault.vault.azure.net:443/keys/TreyPayrollMasterKey/f5c600ff19744fbe910d99b86816e302

Finally, he passes the URI of the key (or for some applications, the URI of the key vault) to the IT professional who is deploying the application. That application now is managed by the app operator, but at runtime uses the key vault created by the CSO. The keys in the key vault are out of sight for the application.

In closing

We showed the basic flow of creating a key vault, adding keys, and authorizing applications to use those keys. In an upcoming blog post, Sunil will show how to build on this to enable Transparent Data Encryption in SQL Server with keys in a key vault.

Keep watching this blog space. We will share updates as they come along.

We are looking forward to your feedback. Please take a moment to send us feedback and to join our advisory board. Your feedback is key (pun intended!) to making this service meet your needs in Azure!

Cheers,

Sumedh and Amit on behalf of the Azure Key Vault team.

Comments (6)

  1. Hi JD, can you past this message into an email and send to azurekeyvault@microsoft.com. There are a few other paths we can suggest after a bit of back and forth.

  2. JD says:

    Sumedh,

    Thank you for the primer.

    I have been over all of the API docs (REST and C# library) and will be jumping into this first thing on Monday. I recently spun up a proof of concept document encryption service that individually encrypts documents by generating unique, one time use symmetric
    keys using Stefan Gordon’s Azure Encryption Extensions (https://github.com/stefangordon/azure-encryption-extensions). Each document that is uploaded to the service is encrypted and stored
    in blob storage and then the newly generated key is stored in a separate storage account.

    When decryption is required, a call into the services by an authenticated service (resource owner bearer token) retrieves the key and blob and decrypts them.

    My biggest exposure is in the web.config where my storage keys are exposed and there is certainly an opportunity for storing them in secrets, but I was curious how I may be able to better leverage key vault for the encryption, and/or key wrapping.

    The files in question can reach up to 50MB in size.

    Any thoughts?

    Kind Regards,

    JD

  3. JD says:

    Dan,

    I found the team forums after leaving this comment. Amit and I have a dialog going here:

    https://social.msdn.microsoft.com/Forums/azure/en-US/e2969d03-e12d-4bfb-a127-41451e0defc7/key-vault-and-encryption?forum=AzureKeyVault

    Thanks,

    JD

  4. Anonymous says:

    Welcome!
    In our first blog Azure Key Vault – Making the cloud safer , we introduced you to the Azure

  5. Rahul P Nath says:

    There are a lot of steps missing in here. If anyone has come here looking to get started should probably go here

    http://azure.microsoft.com/en-us/documentation/articles/key-vault-get-started/

    Rahul
    http://www.rahulpnath.com

  6. Anonymous says:

    By Stephen Lewontin, Solution Architect
    In this week’s post I’m going to look at a recently introduced

Skip to main content