ASP.NET Monsters #107: Azure Key Vault

Sign in to queue

Description

In this episode we take a look at how to retrieve secrets from Azure Key Vault for use in your ASP.NET Core application

Tags:

ASP.NET, Azure

Embed

Download

Download this episode

Download captions

The Discussion

  • User profile image
    MaheshkMSFT

    Hi, It is great to see this video on Key Vault. When using Key Vault to store app secrets for production applications, it is recommended to use X509 cert based authentication. This video shows a client_id+secret based authentication. This beats the whole purpose of using key vault, because the secret to authenticate AAD is available in clear in the app.config file. Available Key Vault sample applications show how to do X509 based auth. This has an example in .NET.

    https://github.com/Azure/azure-sdk-for-net/blob/psSdkJson6/src/SDKs/KeyVault/dataPlane/Microsoft.Azure.KeyVault.Samples/samples/HelloKeyVault/Program.cs
    In the .NET example please search for "FindCertificateByThumbprint" function. This will show the X509 portion.

    Ps:- The above information has been shared by Azure KV Engineering team. 

     

  • User profile image
    Tony

    To me, the primary reason for Azure KeyVault is a service to government officials for decrypting and access data when needed.

    Rather than every customer come up with their own scheme of storing this secret information, customers are encouraged to store their secrets in such a manner that makes it easier for Microsoft and/or government officials to access said secrets and related data. This makes access much easier in that there is one standard place to look and there is no need to try and figure out the seemingly endless and obscure methods used by many customers.

    In addition, but secondary, Azure KeyVault can be used as a place to store secrets and keep them out of your source code and settings.

    Needless to say, I am skeptical of using Azure KeyVault.

  • User profile image
    stimms

    @MaheshkMSFT: Thanks for the tip. Using certificates makes a lot more sense than securing passwords with other passwords. I'll have to dig into this a bit more and do a followup video. 

  • User profile image
    stimms

    @Tony: I must say I hadn't considered that. It is possible to build cryptographic systems such that not even the designer can read the secrets - in fact, I'd say it is fundamental to such a system. Personally, I find it pretty unlikely that THE MAN is interested in decrypting the keys I'm using to store credentials for my recipe collection. 

    As with all things here is the related XKCD comic https://xkcd.com/538/

  • User profile image
    Wobble

    There's a typo in the title of this video. *Vault
    Might help search engines when people are searching for this topic.

  • User profile image
    stimms

    @Wobble: oh look at that - thanks, I've fixed it.

Add Your 2 Cents