Microsoft Azure : Create a key vault

Labels Azure

An Azure key vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to such as API Key and Subscription, Password, Secure content, Connection string, and certification.

The developer no need to write secure content in UI Application, take as an example previously, we storing our database connecting string to in the UI application as a plain text or creating custom encryption algorithm for encrypting and decrypt the connection, now Microsoft provided a fantastic feature for store and retrieve the secure content in Azure key vault and azure will take care for your safety about content.

I am sharing a quick experience that you may also experience same in your working environment, on Prod environment database is more secure and live, but always developer can able to find the prod database connection string from config file and using same connection string developer can able to login database, edit the value, if developer update any value wrongly, that is become a bigger issue and also admin trying to change the password every frequent also application should have to do redeployment. Here, to avoid this issue, the application owners can use the azure Key vault to a prod database.



A good practice is to create a separate vault for each deployment environment of each of your applications, such as development, test, and production. 

In this article, we will learn more about how to create an Azure key vault using the Azure portal. Once you have created a key vault, you can enable the “Azure monitor Log” to monitor the key vault.

Create Azure Key Vault

Step 1: Navigate to Azure Portal and create / login to the portal

Step 2: create a new azure key vault as shown below

Step 3: Navigate create new Resource > Search “Key Vault”, you will get the following screen and click on create.



After clicking on the Create new button, you will get the following screen which you can provide info about your key vault

1. Select Subscription and Resource group.
2. Provide key vault name, Vault name must only contain alphanumeric characters and dashes and cannot start with a number.
3. Select the region, which is nearest to your deployment zone.
4. Pricing tier: Key Vault is designed to store configuration secrets for server apps. It's not intended for storing data belonging to your app's users, This will reflect the cost model. Azure Key Vault service is offered in two service tiers: standard and premium, pricing will refer below table by the West Us region and Indian currency. The best-recommended way, please go and check-inway, please go and check on Microsoft official website for exact current pricing based on your region

You have to fill in the details as shown screen shot below



After clicking on the Review + create a button, the Azure portal will validate the information and will give the confirmation with the review screen



Click on the Creation option and wait for a few min for deployment



Click to go to Resource and be able to find 3 types of Azure Key Vault (KV) stores: 

Secrets 

 Provides secure storage of secrets, such as DB connection strings, account keys, or passwords for PFX (private key files). The secret is a name-value pair of strings. Secret names must be 1-127 characters long, contain only alphanumeric characters and dashes, and must be unique within a vault. A secret value can be any UTF-8 string up to 25 KB in size.

1. Upload options have two different types 1. Manual 2. Certificate.
2. Name: Provide a valid secret name. Secret names can only contain alphanumeric characters and dashes.
3. Value: Provide the single line value, the Azure Portal currently only supports single-line secret values, use Azure PowerShell to set multi-line values.

(Cryptographic) Keys 

keys represented as JWK (JSON Web Key). Supports multiple key types and algorithms, and enables the use of Hardware Security Modules (HSM) for high-value keys.

There are 3 options to create the key

1. Generate - Key type is RSA and EC, Select RSA and EC size and provide activate expiration date
2. Import – Select your key to upload, Key type is RSA and provide activate expiration date
3. Restore Backup -Select existing key to upload

=

Certificates 

Certificates are a managed X.509 certificate, which is built on top of keys and secrets and adds an automated renewal feature/auto-rollover. When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata.



If you try to browse on secrets, key, and certificate key identifiers from the azure portal, you will get an unauthorized response because Keyvault is not public internet and is controlled through Active Directory.

What next?

In this article, You created a new different azure key vault using the Azure portal. Will share in the next article about Key Vault integrate with xamarin mobile applications.