Encrypting connection strings for azure webapp - azure

I am trying to encrypt the connection strings of the web app hosted in azure. I found that this can be done using the aspnet_regiis.exe tool. But, my question is we have the auto scale out enabled and it happens quite often. So, If I encrypt the connection strings using the tool mentioned above, will it work if the webapp is scaled out. Is there any other way to encrypt?

If you want to securely store your connection string you should use Azure Key Vault (as mentioned by Peter Bons).
To safely access the credentials you should consider using Managed Identities.
Here is the Managed Identities documentation for App Services

Related

Using shared access signatures in Xamarin with Azure

I am working on an app developed using Xamarin Forms. The app connects to a container on Azure to read a couple of text files. The text files don't contain any confidential or secret information, just some publicly available information that the app uses.
I am able to connect to the storage container and read the blob without issue however I am readying the app for release to the App store and Google Play store so was following this guide around using Shared Access Keys to connect to Azure.
https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview
To be honest, I am a bit confused as to which approach I should use. The app itself will be connecting to the container and reading the blob, so it won't be an actual "user" as such like joeB, or JaneB. That makes me think a user delegated SAS is not the way to go, although the documentation seems to suggest this is the most secure option.
I also noticed the user delegated sas token itself expires after a period of time and the app started crashing when trying to autheticate/connect. I am not sure if that is also the case with a service SAS and account SAS.
Basically, for my use case (an app reading a text file in a container in Azure), which is the best option for me to use based on those listed in the link above? Has anyone else done something similar? If so, how did you secure your connection string?
Thanks!

Can I pass an Azure Key Vault Secret to an SFTP connector in an Azure Logic App?

Maybe I'm going about this the wrong way, but I uploaded an SSH key to my Key Vault and am trying to pass this to an SFTP-SSH connection in my logic app.
However, when I try to put the secret value into the SSH private key field of the connection, it doesn't bring up the Dynamic variables form. I'm guessing this might be because the API Connection is a separate object outside the Logic App?
Is there a way for me to pass the ssh key from the key vault to the SFTP connection? Whether it's in the logic app or not. I want to be able to deploy this solution without re-entering the key manually into the API.
I actually found this video where the guy looked like he's going to do exactly this type of flow, but it looks like part 1 of the video and there's no part 2 where the actual execution of this happens:
https://www.youtube.com/watch?v=5W8g0KER8RM
You cannot do this from the portal.
The youtube video you refer to is to allow ease of deployment using arm templates. Sadly the 2nd part of the video is not available.
If you are using the portal, you need to setup the connection the first time. This is also secure as no one can see the credentials once the connection is made. But this is not ok when you have to redeploy the logic app to multiple environments in which case you need to manually setup the connection credentials each time. To make this task easy, you setup the SSH keys as shown in the video, and then configure an arm template to use the secrets from the key vault.
You can check the Microsoft forum answer to the same question HERE.

Secret management for nodejs app on google cloud app engine

I had a talk with a friend today about a project his startup is doing. It is a nodejs application with a mongodb backend hosted on Google Cloud App Engine. To my horror I saw that he has stored secrets such as API keys and database keys in his git repo.
I come from an Azure and .NET background so I am used to using Azure Key Vault, and don't know what is the preferred way of doing it in GAE. I have tried to read the docs but there are a lot of options and none seems to quite mirror what I am used to in Azure.
I would like to help my friend out.
So could anyone please point me towards what product I should read up on. Is it Hashicorp Vault, Google Cloud HMS or Berglas? My needs are that the vault needs to be able to store secrets encrypted and the nodejs app should not need to worry about authenticating with the vault. The vault should just allow the service account to read secrets.
If the vault can also fit into a Terraform setup where we can provision all resources and at provisioning also generate the secrets needed and then put them into the vault without any human ever laying eyes on that secret, then that would be really awesome! That way we could also create a setup where he would be able to provision a full disposable environment based on a feature branch. But that is just a nice to have.
Based on the fact that you want to use Terraform as well, I would suggest using HashiCorp. There is a blog post about the combination of those 2 from Google. In general, all those solutions that you mentioned in your question are viable and you can find more here.

How to securely provide private SSL keys to Cloud Foundry apps?

I have an app that I want to run in Cloud Foundry (specifically, in IBM Bluemix). This app will call out to a number of third-party services/APIs, most of which are not managed via CF services. One of these APIs requires my app to use an SSL key to authenticate, so my app needs access to a private SSL key.
My app is deployed from an automated pipeline (specifically, IBM Bluemix DevOps Pipelines) based off of source from a GitHub repo and some small scripts saved in the pipeline config.
It seems like a bad idea to keep the private key file in the source control, and I don't believe there's anywhere to keep it in the pipeline config, so what are my options for making it available to the app while keeping it secure?
I've read this article: Keeping secrets – how your cloud application should access credentials and other private data which says that secrets, passwords, etc, can be made available via environment variables or Cloud Foundry user-provided services.
Googling to find out if this is a suitable option for SSL keys, I find this Cloud Foundry Page: Understanding Cloud Foundry Security which says "Store SSL keys securely to prevent disclosure, and promptly replace lost or compromised keys.", but doesn't say anything about how to store them securely and make them available to your apps.
So what options are available to me for storing the private key and making it available to my CF app while not storing it in my source control?
Note: I believe I do not want the cf ssh functionality, as that is for connecting in to an app (if I understand it correctly), not for an app connecting out.
Agreed - keeping your key in source control is bad practice.
Bluemix has a service called Key Protect that should provide exactly what you're looking for.
Docs here
Alternatively there are a number of other 3rd party providers you could use to do this.

Deploy WebApp to Azure with Zero downtime from VS2015

I'm trying to publish my web app from VS without no downtime. If you search in Google, you find the official documentation speaking about using slots and do a swap later.
This is a good approach, but I have other problem when I do the swap, logins are lost (look this question: link).
Relevant information in the link:
Session is not linked to Authentication, you're attempting to solve it in the wrong way.
All forms authentication tickets and cookies are encrypted and signed using the data protection layer. The problem you are encountering is due to the encryption keys not being saved, and applications being isolated from each other.
How can I do that? In AWS I had rolling updates...
For more information, I'm using ASP.NET Core with Identity 3.0
Thanks!!
What you're seeing is an azure limitation right now. While Azure Web Sites will share the key ring it sees swap slots as separate applications.
There are a couple of things to try.
First, set a common application name. This will help because every application which shares the keyring is isolated by default; but if they share the application name they can share keys
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection();
services.ConfigureDataProtection(configure =>
{
configure.SetApplicationName("my application");
});
}
If that's not enough for azure (I am honestly unsure if hot swaps end up using Azure Web App's shared key folder) you can combine that with using Azure Data Tables for storing the encryption keys - https://github.com/GrabYourPitchforks/DataProtection.Azure/tree/dev
Between those two it should get the encryption keys used to protect identity cookies shared between your apps.
I found a fork for aspnet core 1.0, for those interested:
https://github.com/prajaybasu/DataProtection.Azure/tree/dev/DataProtection.Azure
just like the other one, it stores encryption keys on an azure storage account.
It completely solved my problem.
Starting from blowdart's solution I solved my issue, so thanks.
Andrea
Are you using in-memory session state?
The problem with 'logins' being 'lost' is an architecture issue, not an issue with updating your web app.
Use something like RedisCache for session state. Not only will it persist when you update your application, but it will handle load-balancing on multiple server instances. As it sits you'll probably have this issue when you scale out to more than one server, in addition to when you update your app.

Resources