Azure Key Vault – Step by Step

NOTE: This post was updated on Nov 12 2015 to incorporate breaking changes introduced in the Azure PowerShell 1.0 release.

Welcome!

In our introductory blog post we covered the overall Key Vault model. Today we’re going to dive into the specifics of using it. If you’ve not read the prior post, please do so before proceeding with this one. In the below Sumedh and Amit, PMs on the Key Vault Team, will offer a guided walk through with far more depth.

Thanks for your support!

Dan (twitter) on behalf of the Azure Key Vault Team

Here is the Azure page: https://azure.microsoft.com/services/key-vault

We value your input so please take a moment to follow us , join our advisory board , send us private feedback ,and/or visit our forum

 

Hi, 

In this post we take you through how to create and manage a key vault. We start with the lifecycle of a key vault. Next, we illustrate it with a basic example with PowerShell. Finally we wrap up by showing how to use these building blocks to achieve the full scenario that Dan outlined in the previous post.

During this preview, the management interface for a key vault is Azure PowerShell. In this post, we will assume you have basic working knowledge of PowerShell. If you do not, you should still be able to follow the overall flow from the example below, even if not every detail.

Key Vault lifecycle

In the simplest case you create a key vault, and you are the only person doing all operations with the key vault. In other cases, there may be up to four sets of people and any number of applications performing different tasks on a key vault. We'll demonstrate here the four core roles that we've enabled:

Key Vault lifecycle

 

1. Your usage of the Key Vault service begins with creating your own key vault. Do this using the cmdlet New-AzureRmKeyVault.

2. In all likelihood you created this key vault for one or more applications to use. You must register those applications in Azure Active Directory. You must also authorize them to use your vault. Do this using the cmdlet Set-AzureRmKeyVaultAccessPolicy.

Optional: To allow other users (say your team members) to add/remove keys to this key vault, authorize those users for those specific operations on your key vault. Do this also using the cmdlet Set-AzureRmKeyVaultAccessPolicy.

3. You, or the users you authorized, then add your secrets (e.g. passwords) and cryptographic keys to that key vault. Do this using the cmdlets Set-AzureKeyVaultSecret and Add-AzureKeyVaultKey respectively. For each secret or key that you add, you get a unique URI.

4. The application operator must configure applications to use the URI of your key vault (or of specific secrets or keys). The specific configuration steps are unique to each application; generally the application will provide you a place in their configuration to paste the URI of your key or secret.

5. Subsequently the application you authorized can use your key vault programmatically using the Key Vault REST API or Key Vault Client classes. The application can do the following:

  • It can read or write secrets into your key vault, if it is authorized for those operations.
  • It can use your keys by calling methods of the service such as decrypt or sign. The application cannot read (extract) your keys. This is because the Key Vault service performs the cryptographic operation on the application’s behalf.
  • The application may also add, remove, or update keys in your key vault, if authorized for those specific operations, but this is less common.

6. (Coming soon) You, the key vault owner, or a delegate such as an auditor, will be able to monitor operations performed on your keys and secrets by retrieving a usage log from the Key Vault service.

7. At any point, you or your delegate can update values of an existing keys or secret. Do this using the cmdlet Add-AzureKeyVaultKey with the existing key name, or Set-AzureKeyVaultKey with the existing secret name.

8. When you are done using your keys and secrets, delete them using the cmdlets Remove-AzureKeyVaultKey and Remove-AzureKeyVaultSecret respectively.

9. At any point, you can de-authorize (revoke) users and applications from accessing your key vault, or authorize other users and applications. Do this using the cmdlets Remove-AzureRmKeyVaultAccessPolicy and Set-AzureRmKeyVaultAccessPolicy.

10. When you are done using the key vault, delete the entire key vault using the cmdlet Remove-AzureRmKeyvault.

The next section walks you through an example of these steps with screenshots.

Step-by-step instructions

  • For step-by-step instructions to create your first key vault and authorize an application, see Getting Started with Key Vault.

  • Download sample applications. Follow the instructions in README.md to configure these applications. You need Visual Studio 2012 or 2013 to compile these applications.

Example

This example shows a developer Derick at Trey Research creating a key vault, adding a key to that key vault, and running the sample application HelloKeyVault with that key vault. Derick is using the account his organization gave him (derick@treycorpusa.onmicrosoft.com) and he has a 30-day trial subscription to Azure, good enough to play with Azure.

Get an identity for the application

First things first -- everybody who uses key vaults, whether users or applications, needs to be registered in Azure Active Directory (Azure AD). Derick’s user account is already in Azure AD. But his application is not. So he registers his instance of the HelloKeyVault sample application in his organization's (treycorpusa.onmicrosoft.com) Azure AD directory . The next few screenshots show the standard application registration workflow for Azure AD. None of these steps are unique to Azure Key Vault.

Derick signs in to the Azure management portal, and selects ACTIVE DIRECTORY on the left.

He sees his organization’s directory, “Trey Corporation”. He clicks it. In that directory, he clicks the APPLICATIONS tab.

This page normally shows him the applications he has previously registered. In this case he has none. He clicks the ADD icon at the bottom.

In the dialog that comes up, he enters a name for his application 'DerickHelloKeyVault' and chooses the type WEB APPLICATION. He clicks the arrow at the bottom to go to the next screen.

It asks him for a couple of URIs. The sign-on URI is relevant if the application has a sign-on page for users. This sample application does not have one, so we can enter any value there. In the App ID URI, Derick enters a URI that is unique within his organization. The corresponding site does not need to exist, the URI is just a label that uniquely identifies the application in the organization’s directory.

Now that the application is added, he goes to the CONFIGURE TAB.

He scrolls down to find the application’s CLIENT ID, also known as App ID. He notes this down.

 

He also creates a new client secret that will be used by the application as a credential to sign in to Azure AD. In the portal this secret is called ‘keys’ – this has no relation to key vaults! He chooses an expiry of one year, clicks SAVE at the bottom. He notes down the generated secret, highlighted in the screen below.

 

At this point he has an identity and a credential for his application.

Create and configure a key vault

Let’s get back to key vaults. During this preview, the management interface to Azure Key Vault is Azure PowerShell. Derick installs the latest Azure PowerShell (1.0.1 or higher). He signs in, using the cmdlet Login-AzureRmAccount.

PS C:\> Login-AzureRmAccount

Environment : AzureCloudAccount : Derick@TreyCorpUSA.onmicrosoft.comTenantId : 51c8149f-9cf0-4693-b38e-4e1b028d534cSubscriptionId : 50e645f3-0cfe-4f91-aea5-fb03fe0a1f40CurrentStorageAccount :

PS C:\>

All Azure resources created via the Azure Resource Manager must be contained in resource groups. So Derick creates a new resource group called DerickDevRG to house the key vault he is going to create next.

PS C:\> New-AzureRmResourceGroup -Name DerickDevRG -Location 'West Europe'

ResourceGroupName : DerickDevRGLocation : westeuropeProvisioningState : SucceededTags :ResourceId : /subscriptions/50e645f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/DerickDevRG

PS C:\>

Now he creates a new key vault called DerickKeyVault in West Europe. The “accessPolicies” section of the output shows the permissions. By default, Derick has permissions to create keys, delete keys, list keys, update keys, backup keys, restore keys, and get the public half of keys in this key vault. He also has permissions to do anything with secrets in this key vault.

PS C:\> New-AzureRmKeyVault -VaultName DerickKeyVault -ResourceGroupName DerickDevRG -Location 'West Europe' 

Vault Name : DerickKeyVaultResource Group Name : DerickDevRGLocation : West EuropeResource ID : /subscriptions/50e645f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/DerickDevRG/provi                                   ders/Microsoft.KeyVault/vaults/DerickKeyVaultVault URI : https://DerickKeyVault.vault.azure.netTenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534cSKU : StandardEnabled For Deployment? : FalseEnabled For Template Deployment? : FalseEnabled For Disk Encryption? : FalseAccess Policies :                                   Tenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534c                                   Object ID : d185ba80-22d4-44e4-b8db-465e2fe75c9e                                   Application ID :                                   Display Name : Derick Devereux (Derick@TreyCorpUSA.onmicrosoft.com)                                   Permissions to Keys : get, create, delete, list, update, import, backup,                                   restore                                   Permissions to Secrets : all

Tags :

PS C:\>

Derick can authorize other users and applications. In this case he has created the key vault for himself, so he does not need to authorize any other users. He does need to authorize the instance of the HelloKeyVault application that he just registered in Azure AD. He does this as shown next. In the ServicePrincipalName parameter, he passes in the CLIENT ID that he noted down when registering the application in Azure AD. He grants this application permission to encrypt, decrypt, wrap, and unwrap with keys in the key vault. The Set-AzureRmKeyVaultAccessPolicy cmdlet runs silently (no output) if it runs successfully. Derick runs the 'Get-AzureRmKeyVault' command to confirm permissions.

PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'DerickKeyVault' -ServicePrincipalName 'fde2b411-33d5-4e11-af04-eb07b669ccf2' -PermissionsToSecrets get -PermissionsToKeys wrapKey,unwrapKey,decrypt,encryptPS C:\> Get-AzureRmKeyVault -VaultName 'DerickKeyVault'

Vault Name : DerickKeyVaultResource Group Name : DerickDevRGLocation : West EuropeResource ID : /subscriptions/50e645f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/DerickDevRG/provi                                   ders/Microsoft.KeyVault/vaults/DerickKeyVaultVault URI : https://derickkeyvault.vault.azure.net/Tenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534cSKU : StandardEnabled For Deployment? : FalseEnabled For Template Deployment? : FalseEnabled For Disk Encryption? : FalseAccess Policies :                                   Tenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534c                                   Object ID : d185ba80-22d4-44e4-b8db-465e2fe75c9e                                   Application ID :                                   Display Name : Derick Devereux (Derick@TreyCorpUSA.onmicrosoft.com)                                   Permissions to Keys : get, create, delete, list, update, import, backup,                                   restore                                   Permissions to Secrets : all

                                   Tenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534c                                   Object ID : 766450f4-715f-4e24-8b5c-d78d77900e21                                   Application ID :                                   Display Name : DerickHelloKeyVault (https://DerickHelloKeyVault)                                   Permissions to Keys : wrapKey, unwrapKey, decrypt, encrypt                                   Permissions to Secrets : get

Tags :PS C:\>

Derick sees two sets of permissions. The first is for himself. The second is for his application, "DerickHelloKeyVault".

Finally, he adds a key. Since this is not a production deployment, he specifies a Destination of ‘Software’. This creates a software-protected key. Operations on software-protected keys happen on Azure VMs (as opposed to operations on HSM-protected keys, which happen on an HSM.)

PS C:\> Add-AzureKeyVaultKey -VaultName DerickKeyVault -Name DerickRSAKey1 -Destination SoftwareAttributes : Microsoft.Azure.Commands.KeyVault.Models.KeyAttributesKey : {"kid":"https://derickkeyvault.vault.azure.net/keys/DerickRSAKey1/f3ade24c46674c118b99f4b6ac0ab6a4","kty": "RSA","key_ops":["encrypt","decrypt","sign","verify","wrapKey","unwrapKey"],"n":"q1VAUkIeh60_zhUgMeJr3XCpg 3uviNDccFnsEOpzgOQRrMZCxbArFG7g2sYwljp6r4cZ2X--Bj6e0UUMKdlahMiHt0W4Pkz28Zp3s37E5SxuYPTrTM87ixNQFECDgj7x-Ue EeTkAyXICaqFmI1pjLOTmqYCKkS0-3RG8oQcbv1Zcxdlima_yr4nLnDf2a-8aWEpxgVUYRBzIADKdSoToAEPqaz8daJmBL2_1YedwPsd_M BSFzRqfANdxPydKiQoSJ5-l7HvxVaQHsrgOO3OQiphRw4WKJhm1Vatws7xoUahBzHRVFNMMK84ce5fywdMB7Pu0Sgl0_VhxhQ2n2Gt8DQ" ,"e":"AQAB"}VaultName : derickkeyvaultName : DerickRSAKey1Version : f3ade24c46674c118b99f4b6ac0ab6a4Id : https://derickkeyvault.vault.azure.net:443/keys/DerickRSAKey1/f3ade24c46674c118b99f4b6ac0ab6a4

PS C:\>

Configure and run application

He downloads the Hello Key Vault sample application. In the app.config file he adds the URI of his key vault, and the CLIENT ID and secret that he noted down when he registered his application in Azure AD. He then compiles the application.

He runs the application. He specifies parameters ‘encrypt’ and ‘decrypt’. Doing this makes the Hello Key Vault execute only those operations against the vault. The application signs in to Azure AD, then uses that token to authenticate to Azure Key Vault.

The scenario from the first post

Now that you have seen the basic flow, let’s use the building blocks to stitch together the real-world business problem mentioned in the first post in this blog. In that scenario, Contoso discovered that their LOB application is not as secure as they thought. They decided to move all keys into a key vault, instead of being packaged with the application. Contoso outsources all development.

When the outsourced developers build and test the application, they follow exactly the steps shown above for Derick. They do this with subscriptions belonging to them. They register (the test instances of) their application in their own Azure AD tenant.

When the outsourced developers are done, Contoso’s IT department takes the application for a test drive. The difference is that Contoso’s IT now registers the application in Contoso’s Azure AD tenant. They also create a key vault in their own Azure subscription.

If this test drive succeeds, they decide to move the application to production. The difference in this step is:

  • To reduce exposure to keys, Contoso's CSO Cecil is the one who creates a key vault. He does this in a subscription reserved for that class of assets.
  • To meet his organization's compliance rules, Cecil creates an HSM-protected key. To do this he must created a Premium SKU key vault.

PS C:\> New-AzureRmResourceGroup -Name 'TreyPayrollRG' -Location 'West Europe' VERBOSE: 09:36:59 AM - Created resource group 'DerickDevRG' in location 'westeurope' ResourceGroupName : TreyPayrollRG Location : westeurope ProvisioningState : Succeeded Tags : Permissions : Actions NotActions ======= ========== * ResourceId : /subscriptions/50e64f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/TreyPayrollRGPS C:\>PS C:\> New-AzureRmKeyVault -VaultName 'TreyPayrollVault' -ResourceGroupName 'TreyPayrollRG' -Location 'West Europe' -SKU Premium Vault Name : TreyPayrollVault Resource Group Name : TreyPayrollRG Location : West Europe Resource ID : /subscriptions/50e64f3-0cfe-4f91-aea5-fb03fe0a1f40/resourceGroups/TreyPayrollRG/providers/Microsoft.KeyVault/vaults/TreyPayrollVault Vault URI : https://treypayrollvault.vault.azure.net Tenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534c SKU : Standard Enabled For Deployment? : False Access Policies : Tenant ID : 51c8149f-9cf0-4693-b38e-4e1b028d534c Object ID : 1869357a-74ae-46c4-92a5-c5c3c0ff824d Display Name : Derick Developer (cecil@TreyCorpUSA.onmicrosoft.com) Permissions to Keys : get, create, delete, list, update, import, backup, restore Permissions to Secrets : all Tags : PS C:\>

 

He authorizes the app. To keep this example simple, we show him authorizing Derick's instance of the app. In reality Cecil will insist on a new deployment in a subscription that is tightly controlled.

Cecil also adds an HSM-protected key.

PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'TreyPayrollVault' -ServicePrincipalName 'fde2b411-33d5-4e11-af04-eb07b669ccf2' -PermissionsToSecrets get -PermissionsToKeys wrapKey,unwrapKey,decrypt,encrypt

PS C:\> Add-AzureKeyVaultKey -VaultName 'TreyPayrollVault' -Name 'TreyPayrollMasterKey' -Destination HSM

Attributes : Microsoft.Azure.Commands.KeyVault.Models.KeyAttributes Key : {"kid":"https://treypayrollvault.vault.azure.net/keys/TreyPayrollMasterKey/f5c600ff19744fbe910d99b86816e30 2","kty":"RSA-HSM","key_ops":["encrypt","decrypt","sign","verify","wrapKey","unwrapKey"],"n":"oJwC4zTaLRM eNGhMDRxhBT6suzf6jyR4pC8FjmEUdTien49rUC4nDbvQzPZuMh94rV98sI0bmSjeA-7OD3INIfFZFkWMykpzRMyWOY8uEoCbnb7FPJ5J I_namH1mLX3LMRyGD_Spb7mvsn45lRKHztDr9wqcAq_MAyT43JUseLhkx5LyUO7roHIYBV5uO9dqOGOJHBwMIqVYrQjb_DgnPKB3tZeA1 r288oOTbad0eMg0PPP2BfS2eKN1e7tVNyDqi8AMorAGheGuOOGXmijUHGIDYKuZ4MAuwtCn09rIOD9xzwwBS46cSmLzN8aTzmSnXZIkGV RY0iDTYvCtm5Z7NQ","e":"AAEAAQ"} VaultName : treypayrollvault Name : TreyPayrollMasterKey Version : f5c600ff19744fbe910d99b86816e302 Id : https://treypayrollvault.vault.azure.net:443/keys/TreyPayrollMasterKey/f5c600ff19744fbe910d99b86816e302

Finally, he passes the URI of the key (or for some applications, the URI of the key vault) to the IT professional who is deploying the application. That application now is managed by the app operator, but at runtime uses the key vault created by the CSO. The keys in the key vault are out of sight for the application.

In closing

We showed the basic flow of creating a key vault, adding keys, and authorizing applications to use those keys. In an upcoming blog post, Sunil will show how to build on this to enable Transparent Data Encryption in SQL Server with keys in a key vault.

Keep watching this blog space. We will share updates as they come along.

We are looking forward to your feedback. Please take a moment to send us feedback and to join our advisory board. Your feedback is key (pun intended!) to making this service meet your needs in Azure!

Cheers,

Sumedh and Amit on behalf of the Azure Key Vault team.