Encryption (Azure Key Vault, Certificates)

• Process of making data unreadable and unusable to unauthorized viewers.
• To use or read the encrypted data, it must be decrypted with a secret key.
• Last & strongest line of defense in a layered security strategy.

Encryption types

Symmetric encryption

• Uses the same key to encrypt and decrypt the data.
• E.g. a desktop password manager application like password orbit encrypts your passwords with your key (derived from your master password & key file). The same key is used when the data needs to be retrieved.

Asymmetric encryption

• Uses a public key and private key pair.
  • Either key can encrypt but a single key can’t decrypt its own encrypted data.
  • To decrypt, you need the paired key.
• Used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.

Encryption ways

Encryption at rest

• Encryption of data at rest
  • Data at rest = data that has been stored on a physical medium
    • e.g. server disk, database or storage account.
• Ensures that data is unreadable without decryption keys/secret
• E.g. if an attacker obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty.
• 💡 Good to encrypt e.g.
  • critical financial information, intellectual properties, personal data about customers, employees data, even keys & secrets used for the encryption of the data itself.

Encryption in transit

• Data actively moving from one location to another
  • e.g. across the internet or through a private network.
• Protects the data from outside observers
  • Only the receiver has the secret key that can decrypt the data to a usable form.
• Secure transfer can be handled by several different layers.
  • e.g. in application layer = HTTPS
  • e.g. in network layer = secure channel like virtual private network (VPN)

Encryption on Azure

• For raw storages: Azure Storage Service Encryption
• For virtual machine disks: Azure Disk Encryption
• For databases: Transparent data encryption (TDE)
• For secrets: Azure Key Vault

Azure Storage Service Encryption

• Allows you encrypt raw storage.
• Automatically encrypts your data before persisting it to e.g. Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage
  • and decrypts the data before retrieval.
• The handling of process is transparent to applications.
  • Encryption, encryption at rest, decryption, and key management

Azure Disk Encryption

• Helps you encrypt your Windows and Linux IaaS virtual machine disks.
• Uses BitLocker in Windows and the dm-crypt in Linux to provide volume encryption for the OS and data disks.
• Integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets
  • and you can use managed service identities for accessing Key Vault.

Transparent data encryption (TDE)

• Protection for:
  • Azure SQL Database: Enabled by default.
  • Azure Synapse Analytics
• Performs real-time encryption and decryption at rest of
  • the database
  • associated backups
  • transaction log files
• Uses a symmetric key called the database encryption key.
  • Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault.

Azure Key Vault

• 📝 Stores & manages
  • Secrets: e.g. passwords, certificates, Application Programming Interface (API) keys, and other secrets.
  • Keys: create and control the encryption keys used to encrypt your data.
  • Certificates: provision, manage, and deploy your public and private SSL / TLS
    • You can create a policy that directs Key Vault to manage the life cycle of a certificate.
    • You can provide contact information for notification about life-cycle events of expiration and renewal of certificate.
    • You can automatically renew certificates with selected issuers
    • Read more on Azure certificates
• Keys/secrets can be either protected by software or hardware security modules (HSMs)
• Provides secure access, permission control (RBAC) & access logging.
• Simplifies administration e.g. easier to enroll/renew certs.
• Integrate with other Azure services e.g. storage accounts, container registries, event hubs…
  • Applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.

Azure certificates

Transport Layer Security (TLS)

• Basis for encryption of website data in transit.
• Uses certificates to encrypt and decrypt data.
  • have a life cycle that requires administrator management
  • expired TLS certificates open security vulnerabilities.
• Certificates used in Azure are x.509 v3 that can be y
  • signed by a trusted certificate authority
  • or self-signed
    • not trusted by default as signed by its own creator
    • good for development + testing
• Can contain a private or a public key
  • Keys have an identifiable thumbprint
    • used in the Azure configuration file to identify which certificate a cloud service should use.

Types of certificates

Service certificates

• Attached to a specific cloud service
  • Enables secure communication to and from the service.
  • E.g. if you deploy a web site, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint.
  • Defined in your service definition =>
    • automatically deployed to the VM that is running an instance of your role.
• You can manage service certificates separately from your services
  • You can also upload service certificates to Azure
  • E.g. a developer could upload a service package that refers to a certificate that an IT manager has previously uploaded to Azure.
    • An IT manager can manage and renew that certificate (changing the configuration of the service) without needing to upload a new service package.
• To update a certificate, you don’t need to re-deploy a service package
  • Upload a new certificate
  • Change the thumbprint value in the service configuration file.

Management certificates

• Allow you to authenticate with the classic deployment model.
• Allows automation of configuration and deployment of some Microsoft / Azure services.
  • e.g. Visual Studio or the Azure SDK
• Are not related to cloud services.