Share via

What are the best Practices for Storing Privileged Credentials in Azure Key Vault

Subhash Kumar Mahato 55 Reputation points
2024-05-13T04:00:00.26+00:00

Hi,

I would like to leverage Azure Key Vault to store some privileged credentials (such as Linux root accounts or AD privileged accounts) and share them with specific teams. Since there are some naming restrictions in Azure Key Vault and secrets, such as not being able to use white spaces or any special characters except dash ‘-‘.

Here, I would like suggestions on which Azure Key Vault secrets field I can store "User name" and other privileged account details, like for password secret value can be used. Additionally, How I can match the attributes from the privileged account and Azure Key Vault secrets?

What could be the best ways to store privileged or local accounts in Azure Key Vault as secrets?

Thank you.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,147 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. akinbade abiola 1,580 Reputation points
    2024-05-13T08:02:06.1333333+00:00

    Hello Subhash Kumar Mahato,

    Thanks for your question.

    AKV is an excellent solution for application secrets. I would recommend don't store user secrets in AKV, but do consider using Key Vault for encrypting the secrets you store in your database.

    https://learn.microsoft.com/en-us/azure/key-vault/general/overview

    However if you must. I would suggest following a solution here:

    1. On the Create a secret page, do the following:
      1. Upload options: Select Manual.
      2. Name: Enter the name of the secret. For example, you can use Username for the username secret and Password for the password secret.
      3. Secret value: For the username value (in the format domain\username), enter the domain account username. For the password value, enter the domain account password. For example, if the domain is contoso.com, the username should be in the format contoso\username.
      4. Leave the Content type (optional), Set activation date, Set expiration date, Enabled, and Tags areas as default. Select Create to create the secret.

    The above is documented here for a similar implementation https://learn.microsoft.com/en-us/system-center/scom/store-domain-credentials-in-key-vault?view=sc-om-2022

    This takes advantage of using the username and password.

    Please let me know if you have further questions

    You can mark it 'Accept Answer' if this helped.

  2. akinbade abiola 1,580 Reputation points
    2024-05-14T07:22:37.94+00:00

    Hello Subhash Kumar Mahato,

    Thanks for your further question.

    There is no security issue with storing Entra/Local User Secrets in Keyvault. It is also a viable solution. My suggestion is based on Key Vault being appropriate more for application secrets where you can give access. Key Vault is not designed for rapid calls you may need if there are a lot of users like with entra.

    However, you can use Key Vault if you do not forsee a lot of users making rapid calls and it is just privileged details you need, it is an excellent secret store.

    You can also take a look at this architecture solution if it suits your needs.

    https://learn.microsoft.com/en-us/azure/architecture/patterns/valet-key

    Please let me know if you have further questions

    You can mark them 'Accept Answer' if the answers helped.

    0 comments