Skip to content

Key vault

  • Service used to manage keys, secrets, and certificates
  • Eliminates the need for developers to store security information in their code

VM encryption

  • Encrypt a disk with keys to be stored in key vault
az vm encryption enable \
  -g "demo-rg" \
  --name "key-vm" \
  --disk-encryption-keyvault "hvitoi-kv"

Access Policies

  • There are two permission models

  • Vault access policy: separate access control for key vault (default)

  • Azure role-based access control: define access to secret by means of native azure RBAC roles

  • Access by AD entitites are defined under Settings/Access policies

  • The IAM tab is just to visualize and manipulate the key vault resource, not the secrets and keys (except for azure rbac permission model)

  • Key permissions: get, list, decrypt, encrypt

  • Secret permissions: get, list
  • Certificate permissions

Dotnet connectivity

<ItemGroup>
  <PackageReference Include="Azure.Identity" Version="1.3.0" />
  <PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.1.0" />
  <PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.1.0" />
</ItemGroup>

// AD User/Service-Principal/Group
private static string tenantid = "tenant-id";
private static string clientid = "client-id";
private static string clientsecret = "client-secret";

// Key vault info
private static string keyVaultUrl = "https://hvitoi.vault.azure.net/";
private static string secretName = "dbpassword";
private static string keyName = "encryptionkey"; // RSA 2048

static void Main(string[] args)
{
  ClientSecretCredential clientSecretCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);

  // Retrieve secret
  SecretClient secretClient = new SecretClient(new Uri(keyVaultUrl), clientSecretCredential);
  var secret = secretClient.GetSecret(secretName); // get the db password
  Console.WriteLine($"The value of the secret is {secret.Value.Value}");

  // Retrieve key
  KeyClient keyClient = new KeyClient(new Uri(keyVaultUrl), clientSecretCredential);
  var key = keyClient.GetKey(keyName);

  // The CryptographyClient class is part of the Azure Key vault package
  // This is used to perform cryptographic operations with Azure Key Vault keys
  var cryptoClient = new CryptographyClient(key.Value.Id, clientSecretCredential);

  // ENCRYPT
  // Take the bytes of the string that needs to be converted
  byte[] textoToBytes = Encoding.UTF8.GetBytes('Hi there!');
  EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, textoToBytes);
  Console.WriteLine("The encrypted text");
  Console.WriteLine(Convert.ToBase64String(encryptResult.Ciphertext));

  // DECRYPT
  // We first need to convert our Base 64 string of the Cipertext to bytes
  byte[] cipherToBytes = encryptResult.Ciphertext;
  DecryptResult decryptedText = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, cipherToBytes);
  Console.WriteLine(Encoding.UTF8.GetString(decryptedText.Plaintext));
  • Encrypt blob
private KeyVaultClient keyVaultClient = new KeyVaultClient("uri");
public static async Task<CloudBlobContainer> GetCloudBlobContainer()
{
  // Blob Client
  var blobClient = new CloudBlobClient(new Uri(storageUri), GetCredentials());

  // KeyVault encryption resolver
  var resolver = new KeyVaultKeyResolver(keyVaultClient);

  // KeyVault Key
  var keyBundle = await keyVaultClient.GetKeyAsync();
  var key = keyBundle.Key();

  // Encryption Policy for the Blob Client
  var x =
  blobClient.DefaultRequestOptions.EncryptionPolivy = x

  await blobClient.GetRootContainerReference().CreateIfNotExistsAsync();
  return client.GetRootContainerReference();
}