I only see Key Vault Secret rotation but not Key Vault Keys rotation in docs. Create new version and disable the older version is one approach to rotate Azure Key Vault Keys(Cryptography Keys)
Is there any other way to rotate Cryptography Keys in Azure Key Vault Keys?
Whether working with secrets, keys, or certificates, use the full secret/key/certificate ID which includes the version. For keys, if you set the expiration just beyond the time you want to rotate, you don't need to manually disable the key.
So when you generate a new key or version (when using the same key name, it's the same result) it generates a new key ID you can use while the old remains valid until expired. You don't really need two keys unless you need a period of overlap, but you'd need two different key names at max since you should rely on full key IDs with versions for your application.
I also couldn't find official documentation, but I'll pass along the request. You can also always leave feedback on the documentation, for example, requesting key rotation docs on the secret rotation docs to which you referred.
Related
I want to programmatically regenerate the symmetric key (primary and secondary keys) in group enrollments of Azure DPS, there is an API provided by azure in the link.
I used this github repo and was able to run it.
I used the API but it retured 404 not found.
I used the mentioned github repo and was able to get the instance of an enrollment group.
Now I want a way to regenerate the keys for current group but there is seem to have no function that would allow that thing.
A way is to change the redo attestation that in return will change the symmetric keys but I have not find a way yet.
If anyone could help me, that would be great.
There's no API specifically for regenerating group enrollment keys. However, you can use the CreateOrUpdateEnrollmentGroupAsync method to update an existing enrollment group, passing in a new set of keys. See: https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.devices.provisioning.service.provisioningserviceclient.createorupdateenrollmentgroupasync?view=azure-dotnet&viewFallbackFrom=azure-dotnet-preview
You will need to generate your new symmetric keys to pass in as part of the EnrollmentGroup parameter.
The following sample shows an example of using this method with an enrollment group that uses X.509 certs, but you should be able to easily modify it to use symmetric keys instead: https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/service/samples/getting%20started/EnrollmentGroupSample
To generate a suitable key in Python, you could use the following:
from hashlib import sha256
from base64 import b64encode
s = 'mysecretkeyfordps'
h = sha256()
h.update(s.encode())
b64bytes = b64encode(h.digest())
print(b64bytes.decode())
The use case is a user has a metadata that needs to be encrypted so when they sign-in a protected and stored object "encrypted" will be "checked" to verify the object information coming in plaintext is equal to what is in the encrypted object.
The question is, is it more appropriate in an Azure Key Vault to give each and every user a key with public and private key ability. Or, just use a single key that will encrypt the object that is stored and just un-sign/decrypt the object when it is accessed.
To me, the object is what is necessary to be encrypted and doesn't really relate to how the key is encrypted hence a universal 1 key to many approach.
The other approach makes sense too but I would have to create a hell of a lot of keys in order to facilitate such an approach. Is 1000's or millions of keys resulting in a key per each user appropriate?
What are the advantages or disadvantages of each other.
I think the same practice would apply to JWT token signing.
I think its better to have one key and on a regular basis rotate the key.
For example, like they do in ASP.NET Core Data Protection API (I know you are using node) where they every 90 days (by default) replace the current key with a new one, and the old one is still kept to allow decryption of old data. In .NET they call this the key-ring, that hold many keys.
I did blog about this here.
Also, do be aware that using some SDK's with Azure Key Vault, they try to download all secrets at start-up, one-by-one. That can be quite a time consuming if you have many secrets.
Does Azure Key Vault purge expired versions automatically so it does not get returned from get key versions?
Background:
We plan to use Azure Key Vault certificates with a 2 month rotation. So, we will set ValidityInMonths to 2 and RenewAtNumberOfDaysBeforeExpiry to 3 or so. The reason for the short rotation is that it will be used for asymetric signing.
We need to make the public keys available from an API, so we will call get key versions.
My concern is that the number of versions will keep growing every 2 months.
No, the process is not automatic. To permanently delete a secret First a user must delete the object, which puts it into the soft-deleted state. Second, a user must purge the object in the soft-deleted state. The purge operation requires additional access policy permissions.
Note: Soft delete is Enabled by by default.
You can find more information here Azure Key Vault soft-delete overview
Im currently implementing a solution where we are going to store secrets once an hour. It will be the same secret that is updated, or rather we will call SetSecret, since UpdateSecret wont allow us to update the value of the secret. Since Seting a secret with an existing name creates a new version of the same, they will all have an expiry date.
The questions i got is as follows:
Are there any native retention logic for versions. Ex, removed after a certain time if expired/Removed when there is x amount of versions?
If not, is there any max count for versions?
Does it count towards some storage limit?
Manually deleting versions is not possible, so a possible solution will ofcource be to sometimes remove the secret. But this is a step i would like to skip since it will add more complexity if native retention of secrets is supported.
Cheers!
There is no native retention logic within key vault and all the versions will remain in key vault.
There is no limit on the maximum number of versions of a particular secret.
No, it will not be counted towards any storage limit as well.
How do I force AWS KMI to rotate a key after a compromise? It seems I can instruct AWS to automatically rotate keys once a year. But on demand, if compromised - doesn't seem possible. Specifically, the PCI-DSS requirements:
3.6.5
a) Do cryptographic key procedures include retirement or replacement (for example, archiving, destruction, and/or revocation) of cryptographic keys when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key)?
b) Do cryptographic key procedures include replacement of known or suspected compromised keys?
(When you say KMI, I guess you mean AWS KMS.)
This is a valid question. The way to rotate keys manually is to create a new key and change the alias from the old key to the new one. Unfortunately, most AWS resources use the key id, so you have to assess which one is still using the old one.
If you use Infrastructure as Code tools such as Terraform or Pulumi, you just need to taint the KMS resource, so it will be recreated with a new ID and if you did everything right, e.g. used the alias-based data queries in Terraform, you just need to run the pipelines for those resources, and you are good to go.
How do I force AWS KMI to rotate a key after a compromise?
Key rotation doesn't mitigate compromised key data.
Key rotation is a mechanism to prevent encrypting too many chunks of data (there is a math about relation between amount of encrypted data and probability of key revelation)
Basically the key rotation creates a new version of the key for new encryptions, but KMS will allow decrypting any ciphertext encrypted with the older key version.
See:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
Unfortunately, most AWS resources use the key id, so you have to assess which one is still using the old one.
When using manual key rotation, the application needs to know which key is the current one (e.g. using an alias), but the ciphertext needs a reference to the key id/arn to decrypt.
But on demand, if compromised - doesn't seem possible.
By default the KMS key doesn't leave the hardware. There is no way the KMS key itself is compromised, so maybe an automatic rotation is feasible having all the advantages (keeping the same ARN/ID/alias)
However - the KMS is meant for envelope encryption, KMS is used to encrypt the random data-key or a service-specific key, which can be leaked theoretically. Then you need to create policies to manage this risk