When I add a custom connect configuration, also I want to include the HMAC signature.
connectCustomConfiguration.IncludeHMAC = "true"
Is there a way to create and get a connect key when a connect adding ?
The functionality to generate an HMAC key programmatically is in active development now. Details should be available in the next few months. Keep an eye on release notes until then!
Related
I want to programmatically regenerate the symmetric key (primary and secondary keys) in group enrollments of Azure DPS, there is an API provided by azure in the link.
I used this github repo and was able to run it.
I used the API but it retured 404 not found.
I used the mentioned github repo and was able to get the instance of an enrollment group.
Now I want a way to regenerate the keys for current group but there is seem to have no function that would allow that thing.
A way is to change the redo attestation that in return will change the symmetric keys but I have not find a way yet.
If anyone could help me, that would be great.
There's no API specifically for regenerating group enrollment keys. However, you can use the CreateOrUpdateEnrollmentGroupAsync method to update an existing enrollment group, passing in a new set of keys. See: https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.devices.provisioning.service.provisioningserviceclient.createorupdateenrollmentgroupasync?view=azure-dotnet&viewFallbackFrom=azure-dotnet-preview
You will need to generate your new symmetric keys to pass in as part of the EnrollmentGroup parameter.
The following sample shows an example of using this method with an enrollment group that uses X.509 certs, but you should be able to easily modify it to use symmetric keys instead: https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/service/samples/getting%20started/EnrollmentGroupSample
To generate a suitable key in Python, you could use the following:
from hashlib import sha256
from base64 import b64encode
s = 'mysecretkeyfordps'
h = sha256()
h.update(s.encode())
b64bytes = b64encode(h.digest())
print(b64bytes.decode())
I want to use Cosmos db with c# code. A really important point is that data should stay encrypted at any point. So, as I understood, once the data on the server, it's automaticaly encrypted by azure by the encryption-at-rest. But during the transportation, do I have to use certificate or it's automatically encrypted. I used this link to manage the database https://learn.microsoft.com/fr-fr/azure/cosmos-db/create-sql-api-dotnet. My question is finally : Is there any risk of safety if I just follow this tutorial?
Thanks.
I think that's a great starting point.
Just one note, your data is only as secure as the access keys to the account so, on top encryption at rest and in transit, the Access Key is probably the most sensitive piece of information you need to protect.
My advice is to use a KeyVault to store the database access key rather than define them as environment variables. Combined with Managed Identity, your key will never leave the confines of the azure portal which makes it the most secure option. I'm not sure how you plan on deploying your code but more times than not I've seen those keys encoded in source code or in some configuration file that ends up exposed.
A while ago I wrote a step-by-step tutorial describing how to implement this. You can find my article here
I would suggest you to follow the instructions mentioned in here, and not even using access keys, because if they are accidentally exposed, no matter that you have stored them in a Key Vault or not, your database is out there. Besides, if you want to use access keys, it is recommended to change the access keys periodically, which then you need to make this automatic and known to your key vault, here it is described how you could automate that.
We want to migrate HSM keys from Thales paysheild 9000 to Azure Key vault. We would like to know if this migration is supported and if supported, what’s the migration approach and use cases where customers have already migrated to Azure. We have gone through the article https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/key-vault/key-vault-hsm-protected-keys.md, it talks about Thales nShield family but we are using https://www.thalesesecurity.com/products/payment-hsms/payshield-9000
Thanks in advance.
Excellent question, as Dan suggests you should contact Microsoft for clarification, but unfortunately I don't think it's possible.
Recapping, as I'm sure you are aware the purpose of HSM's is so that the keys are not exportable.
Microsoft (and I assume Thales) supports key backup: https://learn.microsoft.com/en-us/rest/api/keyvault/backupkey but it can only be restored to the same geographical area.
In the article you supplied it mentions "Key Exchange Key" in each geographical area, which I assume will mean that Microsoft will be using a different key to that of another install of an HSM.
Having said this I'm not a general HSM expert, these are just links I have come across over time using KeyVault.
Please do contact Microsoft as I would to be interested if this is possible, please post an answer once you have heard back or a Microsoft employee can perhaps answer directly.
On the Thales literature it states:
"With nShield BYOK for Microsoft Azure, your on-premises
nShield HSM generates, stores, wraps, and exports keys to the
Microsoft Azure Key Vault on your behalf"
http://go.thalesesecurity.com/rs/480-LWA-970/images/Thales-e-Security-Microsoft-Azure-UK-sb.pdf
Interestingly it says generates / stores which suggests a pre-created key could be migrated. However on the contray I'm guessing the export must happen using the "Key Exchange Key" and stored in both on-prem and exported for Azure at the same time, not on-prem first, in the BYOK process.
This blog post has keyvault team's contact details if it helps: https://blog.romyn.ca/key-management-in-azure/
The migration of important keys, that are encrypted under current LMK on your Thales payshield on premises, is very straightforward process:
1- Use console command GC to generate new ZMK in a clear format component, this will be done by using key type to be 000 which is ZMK key type, and also to choose clear format components option use letter 'x' in GC command steps.
2-Repeat the GC command above 3 times to generate 3 different plaintext format components of the new ZMK.
3-Now, at your payshield 9000 HSM, use the console command FK which means Form Key from components, the result is the new ZMK encrypted under old LMK.
4-Use the command KE ,which means export key, to export the important data encryption keys (DEK), such as ZPK for example, which is encrypted under old LMK to be encrypted under the new ZMK. Note: in KE command here use key type to be 001 which is ZPK key type.
5- Now you need to manually distribute the same new ZMK to the other party that you are going to migrate to.
6- You can do this manual distribution to such an important key (new ZMK) by sending the 3 different plaintext format components, which you have generated earlier in step number 2, to three different security officers at your corporate, and for security reasons, no one can have the 3 components all together.
7- On the other entity that you wanted to migrate your keys to, which is Microsoft Azure Key Vault cloud service, Azure is offering securing your keys in a hardware HSM environmental of nShield type, which is general purpose HSM and it is not specific in payment transactions like Thales payshield HSM.
8 - Refer to Microsoft Azure key vault documents, to know how to form the new ZMK of the 3 different plaintext format components that you have generated before, and refer to nShield manuals also to check the command which is responsible for importing keys.
9- Now, your important keys such as ZPK which was exported under new ZMK, are now imported under the same ZMK, and finally stored encrypted under the new LMK of your nShield provided cloud service.
I am using algolia search for a prototype and trying to figure out how to have security implemented (only users with account, can have ability to update/create and index)
Application has no back end and uses firebase and firestore only
I am planning to implement google authentication in it
Now the question is how to implement security for algolia without the back end
I have read in algolia documentation that API keys can be generated for users, but then how to make sure they don't leak and how to generate them automatically when users login for example
I have limited knowledge related to cryptography, API keys and handshakes so i do not have any clear view of how this should be done without back-end
Anyone came across similar issues and/or ways to tackle this?
Always use "Search-Only API Key" for the client side. And for security, you can generate new "Search-Only API Key" and kill the old keys ( you can automate this key generation using the Admin Key)
We recommend to use Search-Only API Keys for keys that are gonna be exposed on front end side.
However, if you need to provide user-specific keys to let your own users interact with your Algolia indices, you could probably benefit from our Secured API Keys that can be generated on-demand via the backend (not sure it could fit with your use case though). Here is the official documentation for this feature: https://www.algolia.com/doc/guides/security/api-keys/#secured-api-keys.
I need to encrypt some of the Sections/Parameter values in the settings.xml file in my service fabric application. We currently have a build process set up in TFS to kick off the build and want to incorporate the encryption of values in this process when we roll this out to production. I have read "Managing secrets in Service Fabric Applications" and it goes over the steps to encrypt:
Obtain a data encipherment certificate
Install the cert in your cluster
Encrypt the secret values when deploying the application with the cert and inject them into a service's settings.xml configuration file
Read the encrypted values out of the Settings.xml by decrypting the same encipherment certificate.
I can see that we can override the parameters in the XML file using the MustOverride attribute and providing the name and value for the parameter in the ApplicationManifest.xml file.
Does anyone know how or can link me to an article that can do this process in the TFS build process? I am looking for a oneclick type of deployment that our deployment team (none of them programmers) can use to move this out to production. I understand what must be done, I just don't see the steps needed to modify our service fabric programs and build to utilize this process.
Here is how I was able to do the encryption and decryption in Service Fabric without the Azure Key Vault. Since the data we were encrypting was not changing the decision was to encrypt the values with the certificate and place the values into the correct xml files.
Generate or obtain a X509 certificate. Make sure that the KeyUsage has "DataEncipherment" indicated this is critical to encryption of data
Get the thumbprint for the certificate. You can get this in your MMC certificates plugin.
Using powershell, encrypt the text using the Invoke-ServiceFabricEncryptedText function in powershell. Use the thumbprint from the cert to encrypt the text. This will create an encryption of the text that contains a base 64-bit string that contains the secret ciphertext as well as the information about the certificate used to encrypt it. This is critical! Also, it is a good idea to run the Inoke-ServiceFabricDecryptText method on the encrypted string using the certificate to ensure it decrypts fine.
Now comes the fun part, putting this into all the XML files in the correct way to get this to work. (This is where it gets messy).
First you need to modify the settings.xml file. The parameter that you want to be encrypted needs to be set to IsEncrypted="true" Value="" and MustOverride="true".
Next you need to declare the override parameter in the ApplicationManifest.xml file. Make sure the parameter name in the application manifest is the same as in the settinss. Set the Name of the parameter in the Parameters section in the applicationmanifest.xml file and set the value = "".
In the ConfigurationOverride section where you have the Parameter name referenced, set the value to the Parameter in the parameters section. Currently this will be blank, also set the IsEncrypted="true".
This is where I got stuck. All this other information was readily available, this next section wasn't. Next in the ApplicationParameters folder under your project, select the XML file used when you publish to your service fabric. This is were you will place the encrypted value. Create a Parameter in this section, set the name to the name you gave in your ApplicationManifest and set the value to the encrypted value generated from the certificate.
When you deploy this parameter will be passed in as an encrypted value. To use it in code you need to make sure you refernece the DecryptValue. For example:
var decryptedPassword= configurationPackage.Settings.Sections["sectionname"].Parameters["ConnectionString"].DecryptValue();
This will generate a SecureString that you can use throughout your code. I converted the value to a string using one of many references on how to convert SecureString to string available online.
That's it. I hope this helps someone else that is not using the Azure Key Vault to secure secrets.