Azure key vault (1) Introduction

Azure Key Vault It is a safe management secret Secret（ password , Token, etc ）, secret key Key And certificates Certificate Service for .

Let's talk about why we use Key Vault, What are its advantages :

• Centralized management ‘ confidential ’ data

Note： Microsoft's official documents are translated as confidential , But I think the word "secret" is more like a noun of degree . We can say that ‘ confidential ’ It can be understood as data similar to passwords , It's just Key Vault You can save more than just passwords , You can also save certificates , Token, etc .

Key Vault It can greatly reduce the possibility of accidental disclosure of secrets . With Key Vault, Developers no longer need to store security information in applications .

No need to store security information in applications , So there is no need to include this information as part of the code . for example , If Function App Need to connect to D365 Service for , The connection string can be safely stored in Key Vault in , Not stored in application code .

The program can use URI Information required for secure access . these URI Allows programs to retrieve a specific version of the secret . This eliminates the need to write custom code to protect data stored in Key Vault Any confidential information in .

• Secure storage of secrets and keys

Access to the key vault requires authentication and authorization , Otherwise caller （ User or application ） cannot access . Authentication can be used to determine the identity of the caller , Authorization determines what the caller can do .

Authentication passed Azure AD To complete . Authorization can be obtained through Azure Role-based access control (Azure RBAC) or Key Vault Access policy to complete . Azure RBAC It can be used to manage the vault and access the data stored in the vault , The key vault access policy can only be used when trying to access the data stored in the vault .

Key Vault It can also be controlled by the hardware security module in the high-level layer (HSM) Provide hardware protection . Software protected key 、 Passwords and certificates are provided by Azure Use industry standard algorithm and key length for protection . If you need to improve reliability , Can be in HSM Never import or build beyond HSM The key of the boundary . 

The last thing to point out is , according to Azure Key Vault The design of the ,Microsoft Unable to view or extract data （ This is what Microsoft said ）.

• Monitor usage

establish Key Vault in the future , We may need to monitor how and when users access keys and confidential data . At this point, you can monitor activity by enabling logging for the vault .

You can control your own log , You can also restrict access rights to ensure log security , You can also delete logs that you no longer need .

• Simplify the management of secrets

• No need to know the internal knowledge of the hardware safety module .
• Copy within an area Key Vault The content of , And copy it to the secondary area . Data replication ensures high availability , No administrator action is required to trigger failover .
• Through the portal 、Azure CLI and PowerShell Provide standard Azure Management options to manage .
• For from public CA Purchased certificates automatically perform certain tasks , Such as registration and renewal .

in addition , You can also use Azure Key Vault To isolate application secrets .

Programs can only access the vaults they have access to , And can only perform specific operations . You can create one for each program Azure Key Vault, Only specific programs and teams of developers have access to the store Key Vault Secrets in .

• And Azure Integration with other services of

• Azure encryption
• Azure App Service
• SQL The server and Azure SQL Encryption function in database