Salt Key rotation

Question

Salt Key rotation

M MM 1

Planning to implement Encryption with Azure key valut with the following details along with key valut url

ClientId
ClientSceret - Plan is to rotate yearly.
Salt

We are planning to encrypt the string using Salt key.

Can we rotate the Salt key also just like clientSceret, if we rotate salt key does it support back ward compatibility?

My requirement is if i rotate salt key then the strings which are encrypted using old salt key should be decrypted after salt key rotation? Is that possible, if not what are the other options i have.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2020-08-12T23:05:36.467+00:00

@M MM
Are you just trying to use the salt key to hash passwords and store the secrets and keys within the Azure Key Vault?
Or are you going to be using this in conjunction with AzureAD, DBs, Apps, etc.? Or other encryption features (i.e. ADE, SSE+CMK, etc.)

If you can give some more clarity on what your environment looks like that would be much appreciated. If you plan to use AzureAD Connect, we do offer a feature called Password Hash Sync, which hashes your passwords using an MD4 hash followed by a SHA-256 hash.

Additional Links:
Azure Key Vault supported Keys
How password hash synchronization works
M MM 1 Reputation point

2020-08-13T18:00:20.957+00:00
this is the way i am planning to implement:

In Azure Key vault, we will be storing the salt key. Below is the flow iam thinking

We will be calling Azure key vault with the client id and client secret to get the salt key.

Once we receive the saltkey, we will be encrypting the string using salt key.

We send the encrypted string to vendor.

we share the Azure key vault client id and secret to vendor.

Vendor is going to call the azure key vault to get the salt key

Vendor using salt key they will decrypt the string.

My question is can we rotate saltkey periodically? if so, can we decrypt the existing string which is done by using old salt key?

if not what are the other ways we can look into it based on the above flow i mentioned.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2020-08-13T23:20:04.953+00:00

It looks like you're only using the Azure Key Vault for storing and retrieving keys/secrets, since step 2 in your explanation, is a manual encryption of passwords using the salt key.

From my understanding, if you're manually encrypting your passwords, i.e. Password1 with SaltKey1: you want to rotate SaltKey1 to SaltKey2, you'll have to decrypt Password1 with SaltKey1 and re-encrypt Password1 with SaltKey2; or re-encrypt Password1 with SaltKey2. Otherwise, there'd be no way to decrypt Password1 with SaltKey2 since it was originally encrypted with SaltKey1.

To better help you, can you answer some more clarifying questions:
-What is the reason for manually encrypting these passwords?
-What are these passwords used for? Users, Apps, etc.?
-Is the Vendor accessing other Azure offerings with this password? i.e VM, storage, DB, App, AzureAD, etc.
-Any other information would be much appreciated.

If you'd like to schedule a call or talk over email, please let me know.
M MM 1 Reputation point

2020-08-14T12:50:31.153+00:00

Thank You JamesTran for your reply and time., PLese find my answers for my questions.

-What is the reason for manually encrypting these passwords?
There is no specific reason, it is one of the way to encrypt the password, if there is better way with more secure and also if it helps the salt key rotation i can change my implenetation based on the suggestions.

-What are these passwords used for? Users, Apps, etc.?
This is encrytped string(PCI data) ,some of the data used at vendor application

Is the Vendor accessing other Azure offerings with this password? i.e VM, storage, DB, App, AzureAD, etc.
Iam not sure about vendor azure offerings.

1 answer

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2020-08-12T23:05:36.467+00:00

@M MM
Are you just trying to use the salt key to hash passwords and store the secrets and keys within the Azure Key Vault?
Or are you going to be using this in conjunction with AzureAD, DBs, Apps, etc.? Or other encryption features (i.e. ADE, SSE+CMK, etc.)

If you can give some more clarity on what your environment looks like that would be much appreciated. If you plan to use AzureAD Connect, we do offer a feature called Password Hash Sync, which hashes your passwords using an MD4 hash followed by a SHA-256 hash.

Additional Links:
Azure Key Vault supported Keys
How password hash synchronization works
M MM 1 Reputation point

2020-08-13T18:00:20.957+00:00

this is the way i am planning to implement:

In Azure Key vault, we will be storing the salt key. Below is the flow iam thinking

We will be calling Azure key vault with the client id and client secret to get the salt key.

Once we receive the saltkey, we will be encrypting the string using salt key.

We send the encrypted string to vendor.

we share the Azure key vault client id and secret to vendor.

Vendor is going to call the azure key vault to get the salt key

Vendor using salt key they will decrypt the string.

My question is can we rotate saltkey periodically? if so, can we decrypt the existing string which is done by using old salt key?

if not what are the other ways we can look into it based on the above flow i mentioned.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2020-08-13T23:20:04.953+00:00

It looks like you're only using the Azure Key Vault for storing and retrieving keys/secrets, since step 2 in your explanation, is a manual encryption of passwords using the salt key.

From my understanding, if you're manually encrypting your passwords, i.e. Password1 with SaltKey1: you want to rotate SaltKey1 to SaltKey2, you'll have to decrypt Password1 with SaltKey1 and re-encrypt Password1 with SaltKey2; or re-encrypt Password1 with SaltKey2. Otherwise, there'd be no way to decrypt Password1 with SaltKey2 since it was originally encrypted with SaltKey1.

To better help you, can you answer some more clarifying questions:
-What is the reason for manually encrypting these passwords?
-What are these passwords used for? Users, Apps, etc.?
-Is the Vendor accessing other Azure offerings with this password? i.e VM, storage, DB, App, AzureAD, etc.
-Any other information would be much appreciated.

If you'd like to schedule a call or talk over email, please let me know.
M MM 1 Reputation point

2020-08-14T12:50:31.153+00:00

Thank You JamesTran for your reply and time., PLese find my answers for my questions.

-What is the reason for manually encrypting these passwords?
There is no specific reason, it is one of the way to encrypt the password, if there is better way with more secure and also if it helps the salt key rotation i can change my implenetation based on the suggestions.

-What are these passwords used for? Users, Apps, etc.?
This is encrytped string(PCI data) ,some of the data used at vendor application

Is the Vendor accessing other Azure offerings with this password? i.e VM, storage, DB, App, AzureAD, etc.
Iam not sure about vendor azure offerings.

Answer 1

@M MM
Looking at your TechNet forum post and referencing your flow:

Salt Key Flow:
We will be calling Azure key vault with the client id and client secret to get the salt key
Once we receive the saltkey, we will be encrypting the string using salt key.
We send the encrypted string to vendor.
we share the Azure key vault client id and secret to vendor.
Vendor is going to call the azure key vault to get the salt key
Vendor using salt key they will decrypt the string.

This issue is more related to the actual Salt Key, than the Azure Key Vault since you're not using Azure to encrypt passwords. You're only storing keys/secrets, and utilizing the ClientID/Secret to encrypt your passwords manually. Additionally, it sounds like your main concern is - when you do rotate salt keys, can you decrypt the existing string with the new salt key.

From my understanding of key rotation, as I stated previously:
If you're encrypting your passwords, i.e. Password1 with SaltKey1: you want to rotate SaltKey1 to SaltKey2, you'll have to decrypt Password1 with SaltKey1 and re-encrypt Password1 with SaltKey2; or re-encrypt Password1 with SaltKey2. Otherwise, there'd be no way to decrypt Password1 with SaltKey2 since it was originally encrypted with SaltKey1.

The key point is, if you plan to rotate keys, you should decrypt any old strings prior to rotating keys. Once the salt key is rotated, you can then re-encrypt those strings with the new salt key.
If you rotate keys prior to decrypting/re-encrypting, you need to somehow "reference/re-encrypt" that password with the new key.

You also have the option of not having your keys/secrets expire.

However, if your salt key is compromised or if you plan to rotate these keys periodically you'll most likely have to go through one of the decryption/encryption scenarios I stated above.

Lastly, I reached out to my team regarding your issue and since you're manually encrypting your passwords and not using an Azure feature to do so, besides the Key Vault to store keys/secrets, this issue isn't supported. I'd recommend reaching back out to Xingyu within the TechNet forums for further guidance.

Full list of supported products
Azure encryption overview

If you have any other questions regarding this issue, please let me know.
Thank you for your time and patience throughout this issue.

Share via

Salt Key rotation

1 answer

Your answer