Can a Different Asymetric Key be used to Wrap a Different Symetric Key

Question

Hello All

Can someone please help me with the following question,

I understand when using Azure KeyVault Premium (HSM backed) if I create a symmetric key (secret) in Azure Key vault (for example an AES key for example used to encrypt data at rest like disk data)

To protect the key it is 'wrapped' by encrypting it with the Public key (of an asymmetric key pair), if that is incorrect please let me know?

Assuming the above is correct, if I have two symmetric keys (AES1 and AES2) can I have 'two' separate asymmetric keys associated with 'one' Azure KeyVault (wrapping keys); for example ASYM1 and ASYM2.

So I can say wrap AES1 using ASYM1 and wrap AES2 using ASYM2

Then can I grant rights to use the ASYM1 and ASYM2 separately (to separate users/services) so each cannot unwrap (and therefore use) the other symmetric key

Thanks
Ernest

Answer 1

@Charlie Melga
Thank you for your post!

When it comes to the use of a Symmetric Key (Secret), and Asymmetric Key (Key), depending on the encryption method you decide to use, you can definitely leverage a Key to wrap a Secret.

For more info - Azure encryption models.

Azure disk encryption:
You can protect Windows and Linux virtual machines by using Azure disk encryption (ADE), which uses Windows BitLocker technology and Linux DM-Crypt to protect both operating system disks and data disks with full volume encryption.

• With Azure Disk Encryption, after you've created your own Key Vault, you can Bring your own Key (BYOK) or create a Key Encryption Key (KEK) which will be used to protect or wrap the secret.
• For more info - Encrypt a running VM using KEK

Azure Storage Service Encryption:

• Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it.
• With SSE, and keeping with your specific issue, you can enable 256-bit AES encryption at the Azure Storage infrastructure level (Double Encryption). When enabled, data in a storage account is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. For more info - Enable infrastructure encryption for double encryption of data
• In order to manage the encryption key you'll have to leverage the Customer-managed keys for Azure Storage encryption feature.

Azure Key Vault:
When it comes to maintaining the rights to use one Key over the other (i.e. ASYM1/ASYM2) for specific users, you can Enable Azure RBAC permissions on your Key Vault. This new Azure RBAC permission model for key vault provides an alternative to the vault access policy permissions model. Azure RBAC for key vault provides the ability to have separate permissions on individual keys, secrets, and certificates.

Individual keys, secrets, and certificates permissions should be used only for specific scenarios:

1. Sharing individual secrets between multiple applications, e.g., one application needs to access data from the other application
2. Cross-tenant encryption with customer key, e.g., ISV using a key from a customer key vault to encrypt its data

Additional Links:
Azure Data Encryption at rest
Data encryption models
Azure Key Vault Overview
Azure RBAC Permission Model - Known limits and performance
Key management with Key Vault

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.