Encryption (Azure Key Vault, Certificates)

Encryption types

Uses the same key to encrypt and decrypt the data.
E.g. a desktop password manager application like password orbit encrypts your passwords with your key (derived from your master password & key file). The same key is used when the data needs to be retrieved.

Uses a public key and private key pair.
- Either key can encrypt but a single key can’t decrypt its own encrypted data.
- To decrypt, you need the paired key.
Used for things like Transport Layer Security (TLS) (used in HTTPS) and data signing.

Encryption of data at rest
- Data at rest = data that has been stored on a physical medium
  - e.g. server disk, database or storage account.
Ensures that data is unreadable without decryption keys/secret
E.g. if an attacker obtain a hard drive with encrypted data and did not have access to the encryption keys, the attacker would not compromise the data without great difficulty.
💡 Good to encrypt e.g.
- critical financial information, intellectual properties, personal data about customers, employees data, even keys & secrets used for the encryption of the data itself.

Data actively moving from one location to another
- e.g. across the internet or through a private network.
Protects the data from outside observers
- Only the receiver has the secret key that can decrypt the data to a usable form.
Secure transfer can be handled by several different layers.
- e.g. in application layer = HTTPS
- e.g. in network layer = secure channel like virtual private network (VPN)

Allows you encrypt raw storage.
Automatically encrypts your data before persisting it to e.g. Azure Managed Disks, Azure Blob storage, Azure Files, or Azure Queue storage
- and decrypts the data before retrieval.
The handling of process is transparent to applications.
- Encryption, encryption at rest, decryption, and key management

Helps you encrypt your Windows and Linux IaaS virtual machine disks.
Uses BitLocker in Windows and the dm-crypt in Linux to provide volume encryption for the OS and data disks.
Integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets
- and you can use managed service identities for accessing Key Vault.

Protection for:
- Azure SQL Database: Enabled by default.
- Azure Synapse Analytics
Performs real-time encryption and decryption at rest of
- the database
- associated backups
- transaction log files
Uses a symmetric key called the database encryption key.
- Bring your own key (BYOK) is also supported with keys stored in Azure Key Vault.

📝 Stores & manages
- Secrets: e.g. passwords, certificates, Application Programming Interface (API) keys, and other secrets.
- Keys: create and control the encryption keys used to encrypt your data.
- Certificates: provision, manage, and deploy your public and private SSL / TLS
  - You can create a policy that directs Key Vault to manage the life cycle of a certificate.
  - You can provide contact information for notification about life-cycle events of expiration and renewal of certificate.
  - You can automatically renew certificates with selected issuers
  - Read more on Azure certificates
Keys/secrets can be either protected by software or hardware security modules (HSMs)
Provides secure access, permission control (RBAC) & access logging.
Simplifies administration e.g. easier to enroll/renew certs.
Integrate with other Azure services e.g. storage accounts, container registries, event hubs…
- Applications with managed service identities enabled can automatically and seamlessly acquire the secrets they need.

Basis for encryption of website data in transit.
Uses certificates to encrypt and decrypt data.
- have a life cycle that requires administrator management
- expired TLS certificates open security vulnerabilities.
Certificates used in Azure are x.509 v3 that can be y
- signed by a trusted certificate authority
- or self-signed
  - not trusted by default as signed by its own creator
  - good for development + testing
Can contain a private or a public key
- Keys have an identifiable thumbprint
  - used in the Azure configuration file to identify which certificate a cloud service should use.

Attached to a specific cloud service
- Enables secure communication to and from the service.
- E.g. if you deploy a web site, you would want to supply a certificate that can authenticate an exposed HTTPS endpoint.
- Defined in your service definition =>
  - automatically deployed to the VM that is running an instance of your role.
You can manage service certificates separately from your services
- You can also upload service certificates to Azure
- E.g. a developer could upload a service package that refers to a certificate that an IT manager has previously uploaded to Azure.
  - An IT manager can manage and renew that certificate (changing the configuration of the service) without needing to upload a new service package.
To update a certificate, you don’t need to re-deploy a service package
- Upload a new certificate
- Change the thumbprint value in the service configuration file.

Allow you to authenticate with the classic deployment model.
Allows automation of configuration and deployment of some Microsoft / Azure services.
- e.g. Visual Studio or the Azure SDK
Are not related to cloud services.