Skip to content

[Question] Secure way to persist keys on Azure #2519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
aspnet-hello opened this issue Jan 1, 2018 · 5 comments
Closed

[Question] Secure way to persist keys on Azure #2519

aspnet-hello opened this issue Jan 1, 2018 · 5 comments
Assignees
@blowdart
Labels
area-dataprotection Includes: DataProtection
Milestone
2.1.0

Comments

@aspnet-hello
Copy link

From @ycrumeyrolle on Monday, January 9, 2017 7:25:51 AM

I would like to have some guidance for securely manage DataProtection on Azure.

1/ Persistence
For now, there is three ways to persist keys on Azure.

  • Into the instance-shared file storage
  • Into Redis database
  • Into an Azure blob storage

Are those implementations secured ?
Are those implementations secured by default ?
I imagine that each implementation require to be secured correctly. Is there any guidance ?
Is KeyVault a valuable option ?
Related : #92

2/ Key protection

  • With DPAPI/DPAPI NG : Not on Azure
  • With a certificate

Is KeyVault a valuable option ?
Related : #178

Copied from original issue: aspnet/DataProtection#197
@aspnet-hello aspnet-hello added this to the 2.1.0 milestone Jan 1, 2018
@aspnet-hello aspnet-hello added the area-dataprotection Includes: DataProtection label Jan 1, 2018
@aspnet-hello
Copy link
Author

From @blowdart on Monday, February 6, 2017 2:27:16 PM

By default any shared storage is not encrypted. You need to layer x509 on top of it. You can use a certificate if, and only if, you target .NET Framework, rather than .NET Core, which doesn't have the right classes yet. That would be the safest option, however not that on azure web apps you cannot upload a certificate to use unless you're on the higher SKUs.

We have a branch for keyvault to protect the keyring, but when you rotate the keyvault master key it will no longer be accessible, so all data protection keys protected with it suddenly can't load (unlike with certificates where we can still decrypt, just not encrypt new items). Until that changes, and we've asked, we feel pushing the KeyVault package out could result in data loss.

@aspnet-hello
Copy link
Author

From @ycrumeyrolle on Monday, February 6, 2017 2:59:49 PM

If I resume, Azure web apps key ring may be secured on any shared storage, if I am capable to use certificates.
Certificates usage require adequate SKU & .Net Framework.
Any visibily on .Net core required class? I had an issue on trying to build a client certificate authentication middleware.

With KeyVault, if nobody rotate the keys, is there any matter?
Or shouldn't we store the keys as secret instead of keys?

@aspnet-hello
Copy link
Author

From @blowdart on Friday, February 10, 2017 12:40:29 PM

You should always rotate keys, it's just best practice. We don't store the keys themselves as secrets, as the API for reading secrets has way way too much overhead.

@aspnet-hello
Copy link
Author

From @blowdart on Friday, April 28, 2017 12:28:00 PM

We've been working with the KeyVault team, and finally hope to have an answer for our 2.0 time frame.

@aspnet-hello aspnet-hello mentioned this issue Jan 1, 2018
Closed
@blowdart
Copy link
Contributor

blowdart commented Jan 1, 2018

Closed as we shipped this.

@blowdart blowdart closed this as completed Jan 1, 2018
natemcmaster pushed a commit that referenced this issue Nov 15, 2018
@mikeharder
Remove unused theory data (#2519)
cc38a8d
@ghost ghost locked as resolved and limited conversation to collaborators Dec 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@blowdart blowdart

Labels
area-dataprotection Includes: DataProtection
Projects
None yet
Milestone
2.1.0
Development

No branches or pull requests
2 participants
@blowdart @aspnet-hello