Best practices: How to handle sensitive data in Azure Resource Manager templates using Key Vault

Have you ever wondered how you could land in the DevOps world of Config-as-Code without storing configuration secrets (e.g. passwords) as plain text in source control? In this series of articles you'll learn how you can work with Azure Resource Manager (ARM) templates and Key Vault to protect your sensitive secrets.

Don't put secrets in source control!

We all know that we shouldn't keep sensitive information like credentials, authentication and software license keys in source control, especially those of production environments. The threat for your OnPremise environments is real if you do this but take a step back and think about what could happen if you expose cloud authentication keys or credentials. One of the biggest advantages of cloud computing is going to come back to bite you.

Cloud agility can only be positive right?

Agility of cloud environments like AWS and Microsoft Azure enables you to create a lot of resources like virtual machines very quickly. Now imagine someone with bad intentions with these informations in hand, he could easily spawn many VMs and leave you with a big invoice by the time you start to realize what is happening. You don't think this is real? Take a look at this story (Developers, Check Your Amazon Bills For Bitcoin Miners), there are hundreds of stories like theses every month! That being said, it is not only your wallet that can suffer from an error like this, it also opens the door for others to access and disrupt your servers, data, APIs, etc. I think you can easily image the consequences here.

Say hello to Azure Key Vault

If we could resume in a simplistic manner what Key Vault is, it would be something like this (taken from Azure documentation) :

Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) by using keys that are protected by hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs. If you choose to do this, Microsoft will process your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware).

Key points:

  • Increase security and control over keys and passwords
  • Create and import encryption keys in minutes
  • Applications have no direct access to keys
  • Use FIPS 140-2 Level 2 validated HSMs
  • Reduce latency with cloud scale and global redundancy

Key Vault is not that new but...

Azure Key Vault integration and tooling in the platform evolve more and more but at the time I am writing this, there is no UI to create/modify a Key Vault from the Azure Portal neither is it integrated in tools like Visual Studio. Expect to spend some time at the command line (PowerShell or Azure CLI) or in ARM templates to create and modify your vault. Since we will focus on ARM templates in this series, we'll use a template to deal with the Key Vault creation.

Scenarios

Now let see how we can combine ARM templates and Key Vault to build more secure templates.

* Future - Never hardcode credentials in PowerShell DSC extension again

Credits

A special thanks to Brian Moore at Microsoft for helping me with this series.

I am the proud father of two little gems. A beer & wine enthusiasm. For everything else, I work and play with Azure at day, and I am an Azure MVP & Advisor at night.
Montreal, Canada