Strategies to encrypt on Azure without using KeyVault - azure

Need to store some content in Azure Blob Storage, and want to encrypt prior to storing it on Azure Blob (we don't want to rely on Azure storage encryption on-rest). The issue is we do not want to store our encryption keys on Azure (e.g. Key vault), and store it outside of Azure. Any suggestion on strategies for achieving this?

The issue is we do not want to store our encryption keys on Azure (e.g. Key vault), and store it outside of Azure.
Azure Storage Service Encryption doesn’t allow us to use our own encryption keys until now. To use your own encryption keys and store it outside of Azure, you need to create a proxy for your storage service.
For example, you could create a Web API to handle all the blob read/write requests. In your Web API, you could use your own encryption keys to encrypt or decrypt data and then write or read the data to Azure Blob Storage.
The limit of this way is that we can’t use the Azure Storage Client library or other tools to access the storage proxy (Web API) since it is written by yourself.
Any suggestion of on-premise secret options we can use, which are accessible to components on Azure.
I suggest you store the key on your local side and create a internal API which could return this key. To access this internal API from azure components, you could use hybrid connections.
Access on-premises resources using hybrid connections in Azure App Service

Related

How to technically guarantee BYOK data privacy in Azure

Can data stored in Azure using BYOK (storage accounts, databases etc) be technically (rather than contractually) assured to be not to be access even from Microsoft? For example we assume the HSM key has been securely transferred to HSM backed Key Vault. How can application write to and read from storage using BYOK without Microsoft being able to peek in configuration, or in memory process, or while data is saved to storage?
In public preview now you can use Managed HSM (MHSM). You can provision an MHSM similar to a Key Vault (KV), but to activate and use it you need to set up 3 or more keys to download a security domain from the HSM. Microsoft has no access to decrypt the key - only a quorum of the 3 or more public keys you uploaded. While a bit specific to our testing environment, we have a script that shows how we create certificates and download the security domain using those public keys in order to test MHSM.
You can use the existing Key Vault SDKs and tools like the Azure CLI to access MHSM just like you would KV. For the Azure CLI you need to pass --hsm-name instead of --vault-name, but otherwise works the same for keys.
We are soon releasing another beta of the Azure SDKs for .NET, Java, JavaScript, and Python that support other algorithms supported by MHSM (AES-CBC, AES-CBC-PAD, and AES-GCM). Check out our blog for announcements.

Storing access token from Azure Function

I am planning to write an Azure Function that will communicate to DocuSign through DocuSign API.
I am using JWT for authentication and what I am worried about is storing the Access Token.
The access token expires in 1 hour. As the Azure function is stateless, I have to put the access token somewhere to reuse it.
My question is about securely storing this token in Azure.
I think the below services from Azure can serve me
KeyVault
Memchaed
Azure Caching
Azure SQL
Which will be best? I do not want an expensive service to serve this purpose.
I think if you want to store the token, you can use KeyVault to realize your ideas. The communication between the resources in KeyVault and Azure is based on the Azure backbone network, so as long as Azure is safe, then KeyVault is safe. And, KeyVault was originally designed to acheive your current requirement.
I think you should use redis ( or maybe DB for your case is easier/better )
Azure has redis, you can simply use that.
And why not Azure Key Vault ?
Look at docs:
Docs
Secrets, managed storage account keys, and vault transactions:
Transactions type Maximum transactions allowed in 10 seconds, per vault per region1
All transactions 4,000
its because of transactions limits. You should not hit Azure KV so often.
Also interesting quote:
Cache secrets in your application for at least eight hours.
About redis, you can read it here: DocsRedis
The app uses a Redis cache as the backing store
tutorial

Is Azure Cloud Service Local Storage encrypted?

Is Azure Cloud Service Local Storage encrypted?
I would like to utilize Local Storage for my worker role as a scratch disk for image manipulation. I'm currently using an encrypted Azure file share, but the performance isn't great. I'm concerned that if I start using Local Storage my data may not be encrypted at rest. I haven't been able to find definitive information about encryption and Local Storage.
Microsoft clearly allows blob and file services to encrypt data using Storage Service Encryption (SSE) and its trivial to enable this via the Azure Portal.
When configuring local storage in the cloud service definition I don't see any options related to encryption. There's also no mention of Local Storage in the Azure data at rest white paper.
It looks like Azure Disk Encryption supports encrypting both OS and data drives, but again, I didn't see any mention of Local Storage or PaaS in the Azure Disk Encryption page.

Difference between Azure Key Vault and Data Protection APIs?

I deploy Asp.Net Core web app and I need to build a storage for private keys of my clients (it is a lot of values). What should I use: Azure Key Vault or Data Protection APIs?
The second seems more easy to programming, however there is information from docs:
The ASP.NET Core data protection APIs are not primarily intended for
indefinite persistence of confidential payloads...
But I need to store keys long-term.
If you're using the keys to protect data for long term storage, I would advise you to use Azure Key vault.
Azure Key vault is a high availability service designed for storage of secrets and keys. Keys and secrets are automatically copied to Key vault instances in multiple regions and easily backed up securely using PowerShell cmdlets. You can store them in an HSM if you are dealing with highly sensitive data.
The Data Protection APIs are more designed to protect local or ephemeral data.
You should use Azure Key Vault to store your keys. The Data Protection API is always used in your application, for example it is used to encrypt and secure your session cookie.
But don't forget that you also do need to configure and store the data protection keys in a secure place. If you don't do it properly, then uses might be kicked out of your site when you redeploy.
See this document for more details:
Key storage providers in ASP.NET Core
If you do want to store the Data Protection Key ring in AKZ, then check out my implementation here:
Storing the ASP.NET Core Data Protection Key Ring in Azure Key Vault

authentication for cURL request to Azure storage

I'm finding the documentation on the Azure storage REST services a bit confusing.
How do I authenticate and consume an endpoint from Azure storage services over cURL?
I have:
the url
primary key
secondary key
I just don't know what to do with them to make a proper request.
You can refer to this documentation: Authentication for the Azure Storage Services, both primary key and secondary key can be used for authentication, you can choose any of them.

Resources