Skip to the content.
Microsoft Azure Fundamentals
Encryption (Azure Key Vault, Certificates)
- Process of making data unreadable and unusable to unauthorized viewers.
- To use or read the encrypted data, it must be decrypted with a secret key.
- Last & strongest line of defense in a layered security strategy.
Encryption types
Symmetric encryption
- Uses the same key to encrypt and decrypt the data.
- E.g. a desktop password manager application like password orbit encrypts your passwords with your key (derived from your master password & key file). The same key is used when the data needs to be retrieved.
Asymmetric encryption
- Uses a public key and private key pair.
- Either key can encrypt but a single key can’t decrypt its own encrypted data.
- To decrypt, you need the paired key.
- Used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.
Encryption ways
Encryption at rest
- Encryption of data at rest
- Data at rest = data that has been stored on a physical medium
- e.g. server disk, database or storage account.
- Ensures that data is unreadable without decryption keys/secret
- E.g. if an attacker obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty.
- 💡 Good to encrypt e.g.
- critical financial information, intellectual properties, personal data about customers, employees data, even keys & secrets used for the encryption of the data itself.
Encryption in transit
- Data actively moving from one location to another
- e.g. across the internet or through a private network.
- Protects the data from outside observers
- Only the receiver has the secret key that can decrypt the data to a usable form.
- Secure transfer can be handled by several different layers.
- e.g. in application layer = HTTPS
- e.g. in network layer = secure channel like virtual private network (VPN)
Encryption on Azure
Azure Storage Service Encryption
- Allows you encrypt raw storage.
- Automatically encrypts your data before persisting it to e.g. Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage
- and decrypts the data before retrieval.
- The handling of process is transparent to applications.
- Encryption, encryption at rest, decryption, and key management
Azure Disk Encryption
- Helps you encrypt your Windows and Linux IaaS virtual machine disks.
- Uses BitLocker in Windows and the dm-crypt in Linux to provide volume encryption for the OS and data disks.
- Integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets
Transparent data encryption (TDE)
- Protection for:
- Azure SQL Database: Enabled by default.
- Azure Synapse Analytics
- Performs real-time encryption and decryption at rest of
- the database
- associated backups
- transaction log files
- Uses a symmetric key called the database encryption key.
- Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault.
Azure Key Vault
- 📝 Stores & manages
- Secrets: e.g. passwords, certificates, Application Programming Interface (API) keys, and other secrets.
- Keys: create and control the encryption keys used to encrypt your data.
- Certificates: provision, manage, and deploy your public and private SSL / TLS
- You can create a policy that directs Key Vault to manage the life cycle of a certificate.
- You can provide contact information for notification about life-cycle events of expiration and renewal of certificate.
- You can automatically renew certificates with selected issuers
- Read more on Azure certificates
- Keys/secrets can be either protected by software or hardware security modules (HSMs)
- Provides secure access, permission control (RBAC) & access logging.
- Simplifies administration e.g. easier to enroll/renew certs.
- Integrate with other Azure services e.g. storage accounts, container registries, event hubs…
Azure certificates
Transport Layer Security (TLS)
- Basis for encryption of website data in transit.
- Uses certificates to encrypt and decrypt data.
- have a life cycle that requires administrator management
- expired TLS certificates open security vulnerabilities.
- Certificates used in Azure are x.509 v3 that can be y
- signed by a trusted certificate authority
- or self-signed
- not trusted by default as signed by its own creator
- good for development + testing
- Can contain a private or a public key
- Keys have an identifiable thumbprint
- used in the Azure configuration file to identify which certificate a cloud service should use.
Types of certificates
Service certificates
- Attached to a specific cloud service
- Enables secure communication to and from the service.
- E.g. if you deploy a web site, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint.
- Defined in your service definition =>
- automatically deployed to the VM that is running an instance of your role.
- You can manage service certificates separately from your services
- You can also upload service certificates to Azure
- E.g. a developer could upload a service package that refers to a certificate that an IT manager has previously uploaded to Azure.
- An IT manager can manage and renew that certificate (changing the configuration of the service) without needing to upload a new service package.
- To update a certificate, you don’t need to re-deploy a service package
- Upload a new certificate
- Change the thumbprint value in the service configuration file.
Management certificates
- Allow you to authenticate with the classic deployment model.
- Allows automation of configuration and deployment of some Microsoft / Azure services.
- e.g. Visual Studio or the Azure SDK
- Are not related to cloud services.