发表新帖
发表新帖

Key Management in Windows Azure

前端 未结
关注
5 934
爱一瞬间的悲伤
爱一瞬间的悲伤 2021-02-01 07:41

I\'m a bit confused about how to store keys (for data encryption) in Windows Azure.

According to the following two links (#1, #2), it is recommended to store the keys/ke

相关标签:
5条回答
  • 天命终不由人
    2021-02-01 08:33

    There’s always a risk. If someone gains access to your storage account using any means (such as using a tool), they may be able to find out your key. So in the end, it is needed to protect the storage account itself from accessed by unauthorized access.

    For example, please do not allow a developer to access the production storage account. This includes don’t allow them to access the account using tools. Please protect the storage account key and do not leak any information in any application.

    Only storage administrators (and developers who you 100% trust) can have full access to the production storage account. Then you’re safe to store the key in your storage account.

    0 讨论(0)
  • 日久生厌
    2021-02-01 08:34

    You'll see from my comment in that first link that I agree with your concerns. :)

    Azure has no secure way of storing keys other than it's own Certificate Storage. Here is an article on using this method:

    Field Note: Using Certificate-Based Encryption in Windows Azure Applications

    You'll notice I've also commented on that article's shortcomings too, linking to this question:

    Read azure ServiceConfiguration file's certificate section using c#

    An example of using Azure's built in certificate storage to encrypt AES keys (avoiding the RSA restrictions on encrypted data length, while keeping the AES key secure) can be found in this project:

    Codeplex: Azure Table Encryption via Attribute

    The SymmetricKeyHelper class in the EncryptDecrypt project is of particular interest.

    Kudos to @breischl for mentioning it, and for his contributions to the project.

    0 讨论(0)
  • 清酒与你
    2021-02-01 08:36

    The Azure Key vault service that has been released recently might be a perfect fit for the problem. This has been introduced so that keys can be managed in a central place and access can be easily controlled. It also supports HSM-backed service making it very secure.

    Here is a artice on Getting Started with Azure Key Vault

    0 讨论(0)
  • 天涯浪人
    2021-02-01 08:43

    For future Googlers - I've implemented the solution that Stuart Pegg describes above, but decoupled from Azure Tables.

    See https://www.fasterweb.io/Blog/two-way-encryption-for-azure-web-roles for a writeup, or https://gist.github.com/strommen/20905504949072fe5e16 for just the code.

    0 讨论(0)
  • -上瘾入骨i
    2021-02-01 08:43

    I know that this may be a bit late, but if anyone is looking for a quick and easy implementation of encryption for Azure Websites, I've created a (Azure.Security and the source code is currently on GitHub. The project is loosely based on the Codeplex: Azure Table Encryption via Attribute project but it is a lot more straightforward and easy to use. A blog post will follow shortly with instructions on how to set it up and use it.

    0 讨论(0)
 看不清?
提交回复
热议问题