1. Lecture: Key Vault Overview
To begin this module. One of the key components for security in Azure is the concept of a Key Vault. And a Key Vault is a service in Azure for safeguarding keys and secrets. So think of this as a vault, as a service that you can create, as opposed to some of those services you may have had on your personal laptop or maybe you’ve had with other services from other vendors. It uses keys that are protected by hardware security modules, also known as FM’s. You can import or create new keys in your Key Vault, and these can be accessed by Azure Active Directory Authenticated requests. So in many cases, you don’t even need to see the key itself. You’ve simply requested access to it from your Azure Ad Authenticated account.
Now, there’s a number of use cases associated with this, and let’s cover some of the developer ones. First of all, so one big one is keeping keys external from applications. So rather than having to take the key and putting it in the application itself, the application can make a request, say, using a service principle to the Key Vault to gain access to that key and then actually use that key. It also allows for customers to perhaps bring their own keys for software as a service type applications, and then you can access them via the Key Vault. And then for Admins, there’s a couple of great use cases. So if we think of things like storing passwords in Key Vault so they can be referenced during armed deployments, think of things like your secrets that you might type in user names and passwords into a machine. Those could all be stored in Key Vault and then just simply reference without you have to kind of give that password over to somebody. And you can bring your own storage keys, as we kind of talked about in the storage section. If you don’t want to use the generated keys from Azure, the managed keys from Azure, you could bring your own directly. And then we need to think about the SKUs available. So there’s only two with keyboard, nothing too complicated. The only real differences between Premium and Standard. So you’ve got a One Standard and P One Premium is P One Premium supports HSM backed keys. And you’ll see that in the upcoming demo that we go through.
If we look at some of the tasks associated with key management, let’s just take a look at the main ones. Well, first of all, you can create or import a key or secret into your Key Vault. You can revoke or delete a key or a secret. You can authorize users to access the Key Vault, and you can configure and monitor key usage. So those are the core four main management tasks around your Key Vault that you’ll be doing on a day to day basis. And that’s it for right now. On Key Management for the tutorial, check out the upcoming demo. And you’ll see how you can create these and create your own secrets and keys in there very easily.
2. Demo: Create a Key Vault Followed by a Key Secret
To begin with, simply select Create a Resource, scroll down to Security and Identity, and on the right hand side you will see Key Vault. Select that. Now we need to give it some core pieces of information, so let’s give it a name, followed by our subscription, which will continue to use the one we’ve been using throughout our resource group. So in my case, I’ve created one called Slash Secure Purity for these demos, our location, which I’m going to continue to use North Central US. And then we can select our pricing tier. So, as I mentioned in the tutorials, we have the A one standard and P one premium pricing. The P One Premium gives us those HSM backed keys as an option, but we’ll go ahead and use Standard for now. If we select Access Policies, we can now choose our user account and determine what that user can do.
So these are all the permissions, and there’s some templates available for you. So you can configure from template by selecting the drop down. So if you just want Key and Secret Management, we could select that. And that’s going to change all the permissions below. So if I select Key permissions, you can see it’s already filled in all those key permissions there. If I look at Secret permissions, all of that’s filled in. But because I didn’t choose Certificate Management, you’ll see on the bottom, I don’t have any certificate options available to me. And so you can get very granular with this. Or you could simply select from the template at the top and choose the role that’s most appropriate for the user. In addition, you can also show advanced access policies.
So this allows us to do various things. So enabling access to Azure Virtual Machines for deployment, enable access to Azure Resource Manager for template deployment, and enable an access to Azure Disk Encryption for volume encryption. So you can turn these on just by selecting that drop down at the top of the screen. With all that configured though, simply select OK and Create. And that will now go ahead and create our key vault. We’ll fast forward, takes about 30 seconds or so for your vault to get created. Okay? And as you can see, we’re in our Key Vault screen now and you can see our new Keyvolt SL key vault has been created.
So let’s go in there and look at some of the things that we can do. On the right we have our traditional overview and our various monitoring panes available to us. But on the left hand side, you’ll see keys, secrets and certificates as well as Access Policies, which we discussed when we created the key vault. But let’s start with keys. So let’s hit Keys and you can see straight away I can do a few things. I can generate or import a new key. So if I hit that, I can choose from this drop down to generate, to create a new key for us, upload a key or restore from backup. And these are all RSA keys that we’re creating. So let’s give this key a name. SL key example.
And now you’ll notice something, the key type I can’t choose the HSM encryption option. So this is going to be done with software as opposed to those hardware modules. But if I’d chosen the higher premium skew, I would be able to select that from this location. I can set an activation date and an expiration date for the key as well as whether it is enabled or not. And once I’ve set all that, I simply hit Create and that will create our key, which you can see there. Now, if I go into the key, I can also choose to create a new version of the key. So if I select this and I want a new version, I can choose to generate one. Same options appear on the right, hit Create. And here is a new version of this key example that I’ve got there.
And if I want to say deactivate the previous version, I can select that one and go ahead and disable it by selecting on the righthand side. Now, you’ll notice all of these have a key Identifier and that’s how we locate the key. Specifically, it’s like a Uri for the key that we can use to say, use that key for specific tasks that we want to do. And so that’s it for key operations. We can also then go ahead and just delete the key and we can download a backup of the key if we wished as well. But that’s the key part there. So the next thing we need to look at are secrets. And if I select secrets, you’ll see I can generate one. And I’m going to choose manual here.
There is a certificate option there, but it is deprecated and if I give it a name so I’ll call this SL knick user and perhaps I’ve got a password associated with that user account. And then same options there. I can choose if I want an activation date and expiration date and whether it’s enabled or not. But that’s really all there is to secrets. Hit Create and it’s just storing that password for me. Now, the good thing is if I need to use that secret, I can just reference the secret in the key vault and then it will grab the password and can pass it on to various things. Maybe I’m doing template deployments with Arm, those kind of things. Great examples there and just a great way to just store a lot of your usernames and passwords that you use in it. And with that, this concludes this demonstration and hope you’ve learned how to create your key vault and manage your keys and secrets.