Importance Of Secure Key Management using Azure Key Vault
The protection of private keys is of critical importance for the security and privacy of information protected using these keys.
Azure Key Vault allows keys to be created that cannot be exported and in the case of the Premium Key Vault, the keys are protected by physical HSMs running in the cloud.
“Your private key should be closely guarded, since anyone with access to it can readily break your encryption.“
Even though Key Vault provides fundamentally strong cryptographic services, the lack of drivers to support Azure Key Vault by Linux and Windows are some of the most significant practical limitations of Key Vault today – Microsoft do not provide Key Storage Provider (KSP) or PKCS#11 drivers to support Key Vault.
The lack of drivers has led to the situation where Azure Key Vault is normally used as a secret store for certificates rather than as an HSM backed secure key store.
The Azure Key Vault extension simply creates copies of certificates and private keys from the Azure Key Vault and installs into VMs or other resources. The Key Vault is therefore normally used as a glorified storage account.
It is standard practice for most certificates held within Key Vault to be created with the private keys exportable and this allows the certificates to be exported with private keys as PKCS#12 files.
This approach has led to the impression of security without actually being particularly secure and allows attackers to export and steal certificates (with private keys).
Stealing keys can be done at several points in the chain, either directly from the machine, by downloading from Azure Key Vault using the machine credentials or downloading from Azure Key Vault using some other credentials.
Duplicating/copying keys in this way makes auditing who has accessed or exported keys almost impossible. Preventing and detecting leakage of keys becomes very difficult in this situation.
An attacker (whether an insider or not) who gains short term access to your environment can take copies of you keys for offline use.
So how do we go about resolving this situation?
The most obvious way is to write a KSP and PKCS#11 set of drivers for Key Vault so that applications are able to use standard cryptographic APIs and function securely without having to be rewritten against the Key Vault REST API.
The Xorble KV KSP is a KSP driver for Windows Server workloads that aims to meet this requirement.