Skip to content

Latest commit

 

History

History
132 lines (103 loc) · 6.56 KB

4.5. Encryption (Azure Key Vault, Certificates).md

File metadata and controls

132 lines (103 loc) · 6.56 KB

Encryption (Azure Key Vault, Certificates)

  • Process of making data unreadable and unusable to unauthorized viewers.
  • To use or read the encrypted data, it must be decrypted with a secret key.
  • Last & strongest line of defense in a layered security strategy.

Encryption types

Symmetric encryption

  • Uses the same key to encrypt and decrypt the data.
  • E.g. a desktop password manager application like password orbit encrypts your passwords with your key (derived from your master password & key file). The same key is used when the data needs to be retrieved.

Asymmetric encryption

  • Uses a public key and private key pair.
    • Either key can encrypt but a single key can't decrypt its own encrypted data.
    • To decrypt, you need the paired key.
  • Used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.

Encryption ways

Encryption at rest

  • Encryption of data at rest
    • Data at rest = data that has been stored on a physical medium
      • e.g. server disk, database or storage account.
  • Ensures that data is unreadable without decryption keys/secret
  • E.g. if an attacker obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty.
  • 💡 Good to encrypt e.g.
    • critical financial information, intellectual properties, personal data about customers, employees data, even keys & secrets used for the encryption of the data itself.

Encryption in transit

  • Data actively moving from one location to another
    • e.g. across the internet or through a private network.
  • Protects the data from outside observers
    • Only the receiver has the secret key that can decrypt the data to a usable form.
  • Secure transfer can be handled by several different layers.
    • e.g. in application layer = HTTPS
    • e.g. in network layer = secure channel like virtual private network (VPN)

Encryption on Azure

Azure Storage Service Encryption

  • Allows you encrypt raw storage.
  • Automatically encrypts your data before persisting it to e.g. Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage
    • and decrypts the data before retrieval.
  • The handling of process is transparent to applications.
    • Encryption, encryption at rest, decryption, and key management

Azure Disk Encryption

  • Helps you encrypt your Windows and Linux IaaS virtual machine disks.
  • Uses BitLocker in Windows and the dm-crypt in Linux to provide volume encryption for the OS and data disks.
  • Integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets

Transparent data encryption (TDE)

  • Protection for:
    • Azure SQL Database: Enabled by default.
    • Azure Synapse Analytics
  • Performs real-time encryption and decryption at rest of
    • the database
    • associated backups
    • transaction log files
  • Uses a symmetric key called the database encryption key.
    • Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault.

Azure Key Vault

  • 📝 Stores & manages
    • Secrets: e.g. passwords, certificates, Application Programming Interface (API) keys, and other secrets.
    • Keys: create and control the encryption keys used to encrypt your data.
    • Certificates: provision, manage, and deploy your public and private SSL / TLS
      • You can create a policy that directs Key Vault to manage the life cycle of a certificate.
      • You can provide contact information for notification about life-cycle events of expiration and renewal of certificate.
      • You can automatically renew certificates with selected issuers
      • Read more on Azure certificates
  • Keys/secrets can be either protected by software or hardware security modules (HSMs)
  • Provides secure access, permission control (RBAC) & access logging.
  • Simplifies administration e.g. easier to enroll/renew certs.
  • Integrate with other Azure services e.g. storage accounts, container registries, event hubs...

Azure certificates

Transport Layer Security (TLS)
  • Basis for encryption of website data in transit.
  • Uses certificates to encrypt and decrypt data.
    • have a life cycle that requires administrator management
    • expired TLS certificates open security vulnerabilities.
  • Certificates used in Azure are x.509 v3 that can be y
    • signed by a trusted certificate authority
    • or self-signed
      • not trusted by default as signed by its own creator
      • good for development + testing
  • Can contain a private or a public key
    • Keys have an identifiable thumbprint
      • used in the Azure configuration file to identify which certificate a cloud service should use.
Types of certificates
Service certificates
  • Attached to a specific cloud service
    • Enables secure communication to and from the service.
    • E.g. if you deploy a web site, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint.
    • Defined in your service definition =>
      • automatically deployed to the VM that is running an instance of your role.
  • You can manage service certificates separately from your services
    • You can also upload service certificates to Azure
    • E.g. a developer could upload a service package that refers to a certificate that an IT manager has previously uploaded to Azure.
      • An IT manager can manage and renew that certificate (changing the configuration of the service) without needing to upload a new service package.
  • To update a certificate, you don't need to re-deploy a service package
    • Upload a new certificate
    • Change the thumbprint value in the service configuration file.
Management certificates
  • Allow you to authenticate with the classic deployment model.
  • Allows automation of configuration and deployment of some Microsoft / Azure services.
    • e.g. Visual Studio or the Azure SDK
  • Are not related to cloud services.