Sergej Khackimullin - Fotolia
One of the biggest arguments against the use of cloud services has been a dubious level of security. But as cloud services evolve, providers have taken steps to make services as secure as possible. Microsoft also took a step to secure Azure cloud services with Azure Key Vault.
Azure Key Vault is a digital vault for storing cryptographic keys and data in an encrypted format. The keys, which are invoked through a uniform resource identifier (URI), can be used to sign or encrypt cloud-based applications. This means keys can be referenced without having to be removed from the digital vault.
Microsoft makes it relatively easy to get started with Azure Key Vault; however, the key vault does have to be set up through PowerShell. The first thing you will have to do is log in to your Azure account from PowerShell and connect to the Azure subscription. The commands to do this are:
Select-AzureSubscription –SubscriptionName <your subscription name>
Once connected to the subscription, use Azure Resource Manager to create a resource group and a key vault. The commands to do so are:
New-AzureResourceGroup –Name '<your resource group name>' –Location '<your region>'
New-AzureKeyVault –VaultName '<your vault name>' –ResourceGroupName '<your resource group name>' –Location <your region>
Notice that, in this command set, the key vault is a named resource; it must be created within a resource group, which is also a named resource.
What to store in the Azure Key Vault
Microsoft Azure administrators aren't limited to using a single key; they can upload or create multiple keys. In addition, they're not limited to storing keys in the key vault; the key vault can also store secrets.
Creating and using keys in Azure Key Vault
To create and use keys within the Azure security tool, you can either use PowerShell to generate a key, or, if you already have a key that exists in PFX format, upload that key and use it. Once the key has been created or uploaded, it is referenced through a URI.
The PowerShell cmdlet that is used to add a key to the digital vault is Add-AzureKeyVaultKey. As such, you can create a key with this single line of code:
$Key = Add-AzureKeyVaultKey –VaultName '<your key vault name>' –Name '<your key name>' –Destination 'Software'
The Destination parameter in the previous command controls if the key is accessed as a software-protected key or a hardware security module (HSM) protected key. If you prefer to create an HSM-protected key, then the Destination parameter should be set to HSM.
If you prefer to import an existing key, you will need to use two lines of code. The first line of code converts the key's password to a secure string; the second line of code specifies the key's file name and then imports the key into the digital vault. The required lines of code for this are as follows:
$SecureFXPwd = ConvertTo-SecureString –String '<the key's password>' –AsPlainText –Force
$Key = Add-AzureKeyVaultKey –VaultName '<your vault name>' –Name '<the name by which you want to call your key>' –KeyFilePath '<the path and filename to the key that you want to upload>' –KeyFilePassword $SecureFXPwd
Once a key has been created or uploaded, that key is referenced through a URI. It is usually easiest to document the URI when the key is created, although, it is possible to get the URI later.
The commands above create a variable, called $Key. Retrieving the key's URI -- $key.key.kid -- requires that the variable still be in effect. With that said, if you want to get a key's URI after the session has ended, or after you have created additional keys, you must use a different method.
Tame your Azure cloud with Operations Management Suite
Manage Azure with these third-party tools
Monitor Azure health and performance with SCOM 2012
See how much you know about Microsoft Azure