Can we create a read only API Key?
We are trying to debug production and want to ensure we don't affect the data. We see how to create a new key but the only option we see for that key is a flag called 'status' which seems to be enable/disable.
Related
I want to programmatically regenerate the symmetric key (primary and secondary keys) in group enrollments of Azure DPS, there is an API provided by azure in the link.
I used this github repo and was able to run it.
I used the API but it retured 404 not found.
I used the mentioned github repo and was able to get the instance of an enrollment group.
Now I want a way to regenerate the keys for current group but there is seem to have no function that would allow that thing.
A way is to change the redo attestation that in return will change the symmetric keys but I have not find a way yet.
If anyone could help me, that would be great.
There's no API specifically for regenerating group enrollment keys. However, you can use the CreateOrUpdateEnrollmentGroupAsync method to update an existing enrollment group, passing in a new set of keys. See: https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.devices.provisioning.service.provisioningserviceclient.createorupdateenrollmentgroupasync?view=azure-dotnet&viewFallbackFrom=azure-dotnet-preview
You will need to generate your new symmetric keys to pass in as part of the EnrollmentGroup parameter.
The following sample shows an example of using this method with an enrollment group that uses X.509 certs, but you should be able to easily modify it to use symmetric keys instead: https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/service/samples/getting%20started/EnrollmentGroupSample
To generate a suitable key in Python, you could use the following:
from hashlib import sha256
from base64 import b64encode
s = 'mysecretkeyfordps'
h = sha256()
h.update(s.encode())
b64bytes = b64encode(h.digest())
print(b64bytes.decode())
I am trying to set up a service in which we will use Customer Managed Encryption Keys to encrypt/decrypt data, but with each opeation we want to send a custom header in which it specifies the reason of the operation. AWS has this custom audit log funcitonality and I was wondering if there is a way to do that in azure?
According to my research, Azure regrettably doesn't support custom audit logs encryption/decryption operations to send a custom header indicating the specific purpose of the operation.
I'm new to azure functions. So I have build a normal http trigger which takes 2 parameters as input. So using those parameters I'm pulling data from gen2 locations and showing it at the response side.
Currently I'm using function keys (created one for my testing purpose) and using the same.
So the Request which I'm passing looks something like this:-
https://(APP-NAME).azurewebsites.net/(RESOURCE-PATH)?param1=¶m2=,code=(Generated by function key)
Till this point everything is working well. Now I'm sharing this request API to set of people.
The response API is data which they can see. Now I'm trying to make the code dynamic (like the existing one should expire after a certain time and I should be able to pick new function key from the same function key name I created)
Is is possible to generate our own function keys (using some random key generator) from the back end and keep updating the values after a particular time interval
Please feel free to provide more suggestions.
Azure has provided an api for the function key management in azure
function. This api will allow you to create, delete and update the
function keys. It is available at runtime when your app is deployed
in the azure.
According to this documentation you can make the required changes to the function keys, also you need to pass Bearer Token credentials with you get/post requests as you must be authorized to be able to view or make changes to the function keys.
Since you want to change the function key after a particular interval of time, you can use a time trigger which will change the function key (after a particular interval of time) using the above api.
To generate a key use any random string generator provided in the
programming language of your choice . You can then store the new
generated function key in a blob storage for further use.
REFERENCES:
Timer trigger for Azure Functions
I'm implementing Azure Redis Cache in Asp.net Core MVC 2.1 application. I need to set the default key expiration value for all the keys globally. And also I should be able to override the expiration duration on individual keys.
I know we could set expiration on individual keys using IDatabase.KeyExpire method, but I'm looking for some sort of configuration that applies to all the keys.
Note: I'm using default eviction policy(volatile-lru), no changes made to it.
AFAIK, redis does not provide this ability - you'll have to specify automatically expiring keys. Please refer to this article.
When we go to the definition of IDatabase, we could see the following picture the KeyExpire and only specify single key to set expiration other than the KeyExists could set an array of key. So you have to set expiration value for each key.
For more details, you could go to this article.
Are you trying to save by not having to execute the EXPIRE command for each key? If so, the Redis SETEX command which performs the SET and EXPIRE together might help, and you can use a pre-configured expiry value via an extension method / wrapper. StackExchange.Redis uses the SETEX command when using an expiry. For setting an expiry on individual keys, you can use the EXPIRE command.
I need to use a digital signature in application running on WebSphere Portal 6.1. Is there any API for retriving java.security.PrivateKey from server key storage?
I want to avoid explicit path to key storage and storage password in my application source code.
Check out the IBM KeySetHelper API.
First, define a KeyStore in WAS admin. This is what will reference the key database (JKS, PKCS12, etc) on the filesystem via path. Then define a named KeySet and reference the KeyStore. Create an alias in the key set that matches a label in the KeyStore. This limits access to specific keys if you have several in the store.
You can then "lookup" the named keystore via KeySetHelper by name. Note: you'll need to know what type of key is in the store. You won't need to know labels within the key database (or even passwords) in your code. However, you'll need to know whether or not the key is a shared secret (in which case you'll receive a java.security.SecretKey implementation. Since you want a java.security.PrivateKey, make sure you load a personal certificate into the key database that is represented in WAS as your keystore.
If you manually load a certificate into your keydatabase backing your keystore, you can leave off the key generator class name parameter of the keyset. That's used if you want to have WAS generate keys. If you also need a java.security.PublicKey, be sure to check the "generates key pair" option. In that case, you are returned from your KeySetHelper::getLatestKeysForKeySet call a com.ibm.websphere.crypto.KeyPair which contains both a java.security.PrivateKey and a java.security.PublicKey (plus access to a java.security.Certificate).
See also:
Creating a KeyStore
Creating a KeySet