Salt Key rotation

M MM 1 Reputation point
2020-08-12T18:48:14.72+00:00

Planning to implement Encryption with Azure key valut with the following details along with key valut url

ClientId
ClientSceret - Plan is to rotate yearly.
Salt

We are planning to encrypt the string using Salt key.

Can we rotate the Salt key also just like clientSceret, if we rotate salt key does it support back ward compatibility?

My requirement is if i rotate salt key then the strings which are encrypted using old salt key should be decrypted after salt key rotation? Is that possible, if not what are the other options i have.

Community Center | Not monitored
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2020-08-17T20:54:56.543+00:00

    @M MM
    Looking at your TechNet forum post and referencing your flow:

    Salt Key Flow:
    We will be calling Azure key vault with the client id and client secret to get the salt key
    Once we receive the saltkey, we will be encrypting the string using salt key.
    We send the encrypted string to vendor.
    we share the Azure key vault client id and secret to vendor.
    Vendor is going to call the azure key vault to get the salt key
    Vendor using salt key they will decrypt the string.

    This issue is more related to the actual Salt Key, than the Azure Key Vault since you're not using Azure to encrypt passwords. You're only storing keys/secrets, and utilizing the ClientID/Secret to encrypt your passwords manually. Additionally, it sounds like your main concern is - when you do rotate salt keys, can you decrypt the existing string with the new salt key.

    From my understanding of key rotation, as I stated previously:
    If you're encrypting your passwords, i.e. Password1 with SaltKey1: you want to rotate SaltKey1 to SaltKey2, you'll have to decrypt Password1 with SaltKey1 and re-encrypt Password1 with SaltKey2; or re-encrypt Password1 with SaltKey2. Otherwise, there'd be no way to decrypt Password1 with SaltKey2 since it was originally encrypted with SaltKey1.

    • The key point is, if you plan to rotate keys, you should decrypt any old strings prior to rotating keys. Once the salt key is rotated, you can then re-encrypt those strings with the new salt key.
    • If you rotate keys prior to decrypting/re-encrypting, you need to somehow "reference/re-encrypt" that password with the new key.

    You also have the option of not having your keys/secrets expire.
    18123-keyexp.jpg

    However, if your salt key is compromised or if you plan to rotate these keys periodically you'll most likely have to go through one of the decryption/encryption scenarios I stated above.

    Lastly, I reached out to my team regarding your issue and since you're manually encrypting your passwords and not using an Azure feature to do so, besides the Key Vault to store keys/secrets, this issue isn't supported. I'd recommend reaching back out to Xingyu within the TechNet forums for further guidance.

    Full list of supported products
    Azure encryption overview

    If you have any other questions regarding this issue, please let me know.
    Thank you for your time and patience throughout this issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.