Implement Azure Key Vault

Question 1

What types of containers does key vault (KV) support

Answer 1

• vaults
• managed hardware security module (HSM) pools

Question 2

What are the two service tiers of KV?

Answer 2

• Standard - encrypts with a software key
• Premium - includes HSM-protected keys

Question 3

What are the benefits of KV?

Answer 3

• Centralised Application secrets = can control their distribution
• Secure storage = requires proper auth and authorization through Entra or RBAC before a caller can access
• Monitor access and use = logging for vaults which can also be set to restricted access, can archive to storage account, stream to event hub or sent to azure monitor
• Simplified admin of app secret = removes need for In-house knowledge of HSMs, quickly scales, geo-redundancy, accessed via portal CLI and PS, automates certain tasks from public purchases certs

Question 4

What are the three ways to authenticate KV?

Answer 4

• Managed IDs for AZ resources = Best practice, app/service isnt managing rotation, azure auto rotates service principal client secret associated with ID
• Service principal and cert = use service principal and an associated cert that has access to KV, not recommended because app owner must rotate cert
• Service principal and secret = not recommended, hard to auto rotate secret that’s used to auth to the vault

Question 5

How does KV enforce Transport Layer Security (TLS) protocol to protect data when its traveling between KV and clients?

Answer 5

• Clients negotiate a TLS connection with KV providing strong auth, message privacy and integrity with detection of message tampering
• Perfect Forward Secrecy (PFS) protects connections between customer client system and MS cloud services by unique keys
• Connections use RSA 2048 bit encryption key lengths

Question 6

What are best practices for KV?

Answer 6

• Use separate KVs per app per environment, reducing a threat if breached
• control access to vault to only authorised apps and suers
• backup
• logging
• recovery options

Question 7

What are the 2 ways apps can use to obtain a service principal that entra ID uses to authenticate to KV?

Answer 7

• System assigned managed ID = Azure internally manages the apps service principal and auto auths the app with other services, recomended
• Registration with Entra tenant = creates a second app object that IDs the app across all tenants

Question 8

What is the KV SDK?

Answer 8

• uses the azure ID client library which allows seamless auth to KV across envs with same code
• Identity SDK available for .NET/Python/Java/JS

Question 9

How do we authenticate to KV with REST?

Answer 9

• Access tokens must be sent to the service using HTTP authorization header
• PUT /keys/MYKEY?api-version=<api_version>HTTP/1.1</api_version>
• Authorization: Bearer <access_token></access_token>
• 401 with a WWW-Authenticate header will be sent back if no token supplied/token isnt accepted
• params on this header are…
  + Authorisation = address of the OAuth2 authorization service that may be used to obtain access token for the request
  + Resource = the name of the resource to use in the authorization request

Question 10

What cmd is used to create kv?

Answer 10

az keyvault create –name <name> --resource-group <rgName> --location <location></location></rgName></name>

Question 11

What cmd is used to add a secret to KV?

Answer 11

az keyvault secret set –vault-name <vaultName> --name <secretName> --value <secretValue></secretValue></secretName></vaultName>

Question 12

What cmd is used to get a secret from KV?

Answer 12

az keyvault secret show –name <secretName> --vault-name <vaultName></vaultName></secretName>