Hiding the key
-
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
-
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
In a domain? Doesn't Azure use SQL Server? We have some data encrypted in SQL Server, with keys and certificates, etc. Only a user authenticated on the domain with access to the SQL Server database with access to the keys and certificates can decrypt the encrypted values.
-
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
Have the app read from the key vault when it starts, and then cache the value. You don't want to constantly read from the key vault, as it is not a high throughput service.
-
In a domain? Doesn't Azure use SQL Server? We have some data encrypted in SQL Server, with keys and certificates, etc. Only a user authenticated on the domain with access to the SQL Server database with access to the keys and certificates can decrypt the encrypted values.
That is certainly a common practice. Where is the username and password stored for the user you mentioned? If the app uses that type of user login, doesn’t it have to get the username and password from somewhere outside the DB?
-
Have the app read from the key vault when it starts, and then cache the value. You don't want to constantly read from the key vault, as it is not a high throughput service.
And by what is the app validated to the KV, and where is that stored outside the KV where the app can access it?
-
That is certainly a common practice. Where is the username and password stored for the user you mentioned? If the app uses that type of user login, doesn’t it have to get the username and password from somewhere outside the DB?
The domain performs authentication for the user. The user provides the username and password to the domain.
-
And by what is the app validated to the KV, and where is that stored outside the KV where the app can access it?
this is what ChatGBT has to say :
Quote:
To securely access the Key Vault from your applications without exposing the secrets in config files, you can leverage Azure Managed Service Identity (MSI) feature. Managed Service Identity (MSI) is a feature of Azure Active Directory that provides Azure services with an automatically managed identity in Azure AD. With MSI, Azure services can authenticate with other Azure services that support Azure AD authentication, without requiring you to manage any secrets or credentials. The process for accessing the Key Vault using MSI can be summarized in the following steps: Enable the MSI feature for your Azure App Service/Web App: Enable the system assigned identity for your Web App by turning it on in the Identity blade of your Web App. Add access policy to Key Vault: Once MSI is enabled, navigate to your Key Vault, select the Access policies blade, and add the necessary permissions to allow your Web App to access the Key Vault. Modify your code to use MSI to authenticate with the Key Vault: In your code, you can use the Azure.Identity NuGet package to authenticate with the Key Vault using the MSI endpoint. Here's some sample code that demonstrates how to access a secret in a Key Vault using MSI:
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://{keyvault-name}.vault.azure.net/"), credential);
KeyVaultSecret secret = await client.GetSecretAsync("secret-name");
string secretValue = secret.Value; -
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
this is what chatGBT has to say :
Quote:
To securely access the Key Vault from your applications without exposing the secrets in config files, you can leverage Azure Managed Service Identity (MSI) feature. Managed Service Identity (MSI) is a feature of Azure Active Directory that provides Azure services with an automatically managed identity in Azure AD. With MSI, Azure services can authenticate with other Azure services that support Azure AD authentication, without requiring you to manage any secrets or credentials. The process for accessing the Key Vault using MSI can be summarized in the following steps: Enable the MSI feature for your Azure App Service/Web App: Enable the system assigned identity for your Web App by turning it on in the Identity blade of your Web App. Add access policy to Key Vault: Once MSI is enabled, navigate to your Key Vault, select the Access policies blade, and add the necessary permissions to allow your Web App to access the Key Vault. Modify your code to use MSI to authenticate with the Key Vault: In your code, you can use the Azure.Identity NuGet package to authenticate with the Key Vault using the MSI endpoint. Here's some sample code that demonstrates how to access a secret in a Key Vault using MSI:
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://{keyvault-name}.vault.azure.net/"), credential);
KeyVaultSecret secret = await client.GetSecretAsync("secret-name");
string secretValue = secret.Value; -
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
Maybe you shouldn't hide the key, just encrypt it. The apps should know where the keys are and how to decrypt them. As a real-world example, I need the ability for hundreds of customer desktop apps to be able to utilize one or more FTP resources, and also need the ability to change the credentials for those resources 'on the fly'. Those credentials are actually stored on a publicly accessible website in an XML file with very unassuming names/tags and, of course, encrypted. My 2 cents. :)
"Go forth into the source" - Neal Morse "Hope is contagious"
-
Maybe you shouldn't hide the key, just encrypt it. The apps should know where the keys are and how to decrypt them. As a real-world example, I need the ability for hundreds of customer desktop apps to be able to utilize one or more FTP resources, and also need the ability to change the credentials for those resources 'on the fly'. Those credentials are actually stored on a publicly accessible website in an XML file with very unassuming names/tags and, of course, encrypted. My 2 cents. :)
"Go forth into the source" - Neal Morse "Hope is contagious"
I have done that before, but the issue still remains that the decryption key for that still has to be accesible to the app. And thus, accessible by another person.
-
this is what chatGBT has to say :
Quote:
To securely access the Key Vault from your applications without exposing the secrets in config files, you can leverage Azure Managed Service Identity (MSI) feature. Managed Service Identity (MSI) is a feature of Azure Active Directory that provides Azure services with an automatically managed identity in Azure AD. With MSI, Azure services can authenticate with other Azure services that support Azure AD authentication, without requiring you to manage any secrets or credentials. The process for accessing the Key Vault using MSI can be summarized in the following steps: Enable the MSI feature for your Azure App Service/Web App: Enable the system assigned identity for your Web App by turning it on in the Identity blade of your Web App. Add access policy to Key Vault: Once MSI is enabled, navigate to your Key Vault, select the Access policies blade, and add the necessary permissions to allow your Web App to access the Key Vault. Modify your code to use MSI to authenticate with the Key Vault: In your code, you can use the Azure.Identity NuGet package to authenticate with the Key Vault using the MSI endpoint. Here's some sample code that demonstrates how to access a secret in a Key Vault using MSI:
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://{keyvault-name}.vault.azure.net/"), credential);
KeyVaultSecret secret = await client.GetSecretAsync("secret-name");
string secretValue = secret.Value;Someone trained the AI bot well. That is what I do when I design the system. I find that "in the wild", a lot of shops don't.
-
The domain performs authentication for the user. The user provides the username and password to the domain.
And the user can share their password, have it hacked, etc. Still not secure.
-
And the user can share their password, have it hacked, etc. Still not secure.
As has always been the case. The user has to know his/her password and might write it on a sticky note or something. That can never be fully secure. Consider a building with many doors and the janitor has copies of all the keys, locked in a box. But the key for that box can't be in the box, it has to be somewhere else, usually in the janitor's pocket. If that one key gets stolen, the thief has access to all of the other keys. The janitor can lock the lockbox key in another box, but then the key to that box might get stolen. It's never-ending. There will always be some nth item which might get stolen and may then provide access to all of the other items like dominos. I have no idea how someone can possibly think that anything can be fully 100% secure. The concept is a fallacy.
-
As has always been the case. The user has to know his/her password and might write it on a sticky note or something. That can never be fully secure. Consider a building with many doors and the janitor has copies of all the keys, locked in a box. But the key for that box can't be in the box, it has to be somewhere else, usually in the janitor's pocket. If that one key gets stolen, the thief has access to all of the other keys. The janitor can lock the lockbox key in another box, but then the key to that box might get stolen. It's never-ending. There will always be some nth item which might get stolen and may then provide access to all of the other items like dominos. I have no idea how someone can possibly think that anything can be fully 100% secure. The concept is a fallacy.
Not 100%. Just reasonably secure. That is why Azure (and I am sure AWS and others) have the kind of authentication that doesn't require an app storing the means of authentication.
-
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
-
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
As per generally accepted usage, I put the key content on a yellow sticky note where my computer webcam can see it and route it up to the app. ;)
-
Hi all, I have a question based on the below hypothetical scenario. I have an Azure based system comprised of: Web app (Blazor) Multiple Azure functions A set of C# library NuGets written to support shared code Azure SQL Internal-only APIM External APIM (for mobile apps and third Party subscriptions) Azure Front Door Various Azure services, like Key Vault, Azure Storage, etc. ADO DevOps (incl. ADO Git repos, not GitHub, pipelines, artifacts, testing, etc.) ADO Boards for case management Developers use VS 2022 with access Secure information that apps use like keys, usernames/passwords, etc. are stored in a key vault. Now, for the question. What process do you recommend for the apps (not directly publicly accessible other than port 80 HTTP for the web UI) to access the key vault without leaving any keys in config files that could be compromised? I know what I think, but if I knew everything 100% correctly, I probably wouldn’t be here. 🙂 Thanks in advance.
I may be missing something, but why wouldn't 2 factor authentication work?
Just call me obtuse...
-
this is what chatGBT has to say :
Quote:
To securely access the Key Vault from your applications without exposing the secrets in config files, you can leverage Azure Managed Service Identity (MSI) feature. Managed Service Identity (MSI) is a feature of Azure Active Directory that provides Azure services with an automatically managed identity in Azure AD. With MSI, Azure services can authenticate with other Azure services that support Azure AD authentication, without requiring you to manage any secrets or credentials. The process for accessing the Key Vault using MSI can be summarized in the following steps: Enable the MSI feature for your Azure App Service/Web App: Enable the system assigned identity for your Web App by turning it on in the Identity blade of your Web App. Add access policy to Key Vault: Once MSI is enabled, navigate to your Key Vault, select the Access policies blade, and add the necessary permissions to allow your Web App to access the Key Vault. Modify your code to use MSI to authenticate with the Key Vault: In your code, you can use the Azure.Identity NuGet package to authenticate with the Key Vault using the MSI endpoint. Here's some sample code that demonstrates how to access a secret in a Key Vault using MSI:
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://{keyvault-name}.vault.azure.net/"), credential);
KeyVaultSecret secret = await client.GetSecretAsync("secret-name");
string secretValue = secret.Value;BernardIE5317 wrote:
leverage Azure Managed Service Identity (MSI) feature
This is the proper way to use KeyVault.
There are no solutions, only trade-offs.
  - Thomas SowellA day can really slip by when you're deliberately avoiding what you're supposed to do.
  - Calvin (Bill Watterson, Calvin & Hobbes) -
And by what is the app validated to the KV, and where is that stored outside the KV where the app can access it?
You would probably use Active Directory, with the app running under an account (you can have the system generate one), then providing read access to the Key Vault for that account.
-
And the user can share their password, have it hacked, etc. Still not secure.
That is where MFA comes in. MS Authenticator or other. Differing levels of engagement there: -Are you trying to log in?, (yes that's me) - logging in, after userid and pwd validate, Authenticator chirps with yes or no -What number is on the screen, (42) - login shows a number, type it into the app -Which number is on the screen, (11, 34, 78) - login show a number, app shows choices, pick the right one -Enter the code on Authenticator app (010 767) - app gens a number, enter it into login dialog I am sure there are other options and there are other products. How you set it up - IDK - victim not perp. b