Block All Exportable Certificates via Policy
In an earlier blog, a simple PowerShell script was provided that allows all certificates within all Key Vaults to be dumped as PKCS#12 files.
In theory, a simple fix for this is to create and apply a policy to block all Exportable Certificates via Policy – Using Azure policy, you can create a policy to block the creation or import of certificates into key vault that can be exported.
This in theory provides a very strong solution to the exportable key/certificate issue but has one major caveat that I will come onto later.
First, let us look at the Azure Policy to block the creation or import of certificates into Azure Key Vault that can be exported. Azure Policy allows you to enforce specific rules. The policy will bock the deployment of resources that do not comply with the policy thus ensuring compliance with your organization’s standards.
To achieve this, you can define a policy that checks the properties of the Key Vault certificates and denies any operations that would allow the export of those certificates.
json
{
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults/certificates"
},
{
"field": "Microsoft.KeyVault/vaults/certificates/exportable",
"equals": "true"
}
]
},
"then": {
"effect": "deny"
}
},
"parameters": {}
}
Steps to Implement the Policy
- Create the Policy:
- Go to the Azure portal.
- Navigate to “Policy” and then “Definitions.”
- Click on “+ Policy definition” to create a new policy.
- Paste the JSON above into the policy definition editor.
- Assign the Policy:
- After creating the policy, go to “Assignments” in the Policy section.
- Click on “+ Assign policy” and select the policy you just created.
- Choose the scope (subscription or resource group) where you want to enforce this policy.
- Test the Policy:
- Try to create or import a certificate with the exportable property set to true.
- The operation should be denied.
This policy will help ensure that no exportable certificates can be created or imported into your Azure Key Vault, aligning with your security requirements.
Easy Fix Part 2 – Block all Exportable Certificates via Policy (not really good for normal VMs)
So what is wrong with this approach?
Blocking exporting of private keys from Key Vault does dramatically increase security of your keys – they now can no longer be stolen by bad folk.
There is however, one quite large drawback to this though – almost no software is coded to use Key Vault’s REST APIs to perform cryptographic operations and hence to a large extent your keys are then useless.
For instance, the Azure Key Vault add on for VMs is now unable to grab a copy of the keys and install onto VMs – this policy stops the Key Vault add from functioning.
So how do we go about solving this?
The obvious way is to write the necessary drivers to allow applications to use Azure based keys – two of the most used drivers for keys are the PKCS#11 API, largely used in the Linux and Open-Source world and Key Storage Provider (KSP) driver model used within Windows.
So the obvious (although not simple) solution to this problem is to write both a KSP (for Windows) and a PKCS#11 library for Linux and Windows and this would allow you to secure keys with this policy.
Introducing the Key Vault KSP – effectively providing an HSM for every Server
The Xorble Key Vault Key Storage Provider provides a KSP for Windows that allows Key Vault based Certificates to be used by Windows based VMs in a secure way without coping key material everywhere.
Leave a Reply