Azure Key Vault

Azure is an Internet-scale computing and services platform hosted in data centers managed or supported by Microsoft. It includes many separate features with corresponding developer services which can be used individually or together. Azure Key Vault is one of the important services in Azure.

Azure Key Vault enables users to store and use cryptographic keys within the Windows Azure environment in both software and hardware formats. Azure Key Vault supports multiple key types and algorithms and enables the use of Hardware Security Modules (HSM) for high value customer keys. In addition, Azure Key Vault allows users to securely store Secrets in a Key Vault; Secrets are limited size octet objects and Azure Key Vault applies no specific semantics to these object. ADSS Server supports only Asymmetric Keys with Azure Key Vault. The following key algorithms are supported in ADSS Server with Azure Key Vault:

RSA with:

Key Sizes: 2048, 3072, 4096
Hash Algorithms: SHA256, SHA384, SHA512

ECDSA with:

Key Size: 256
Hash Algorithm: SHA256

There is no import/export key mechanism supported in ADSS Server from Azure Key Vault.

A Key Vault may contain a mix of keys and secrets at the same time, and access control for the two types of object is independently controlled.

Users, subject to appropriate authorization, may:

Manage cryptographic keys using Create and Delete operations.
Use cryptographic keys with Sign/Verify operations.

Operations against Key Vaults are authenticated and authorized using Windows Azure Active Directory.
The Azure Key Vault Management system currently consists of two APIs, a REST API and a C# Client API. The REST API forms the base functionality for all programmatic interaction with the Azure Key Vault.

To generate a new Azure Key Vault profile press the New button in the Crypto Source Screen and select Azure Key Vault in Crypto Source Type drop down:

The Root CA of the URLs configured in DNS Name and Endpoint OAuth 2.0 Token must be registered in Trust Manager to establish the TLS connection otherwise the connection testing will be failed. Click here to learn how to export Root CA of the TLS Server Authentication certificate and add it in the Trust Manager.

Items

Description

Status

Set the status of this Crypto Profile. If the status is set to Inactive then it can not be used to generate or read the keys for singing purposes.

Friendly Name

Enter a friendly name for this Crypto device. The name should be unique within this ADSS Server environment.

Crypto Source Type

Select Azure Key Vault from the drop-down menu.

Key Storage Type

Select Hardware if you are suing the Premium Key Vault Service. Software for the Standard service.

DNS Name

It will be used to send requests to perform key operations like create key, delete key, sign etc. Received access token is passed in the request also.

Endpoint OAuth 2.0 Token

This URL will be used to authenticate the client from the Azure Active Directory.

Application ID

A Unique ID is assigned when an application is registered on the Azure Active Directory.

Key

A symmetric key hash when application is registered on the Azure Active Directory (acts as password).

Key can be without expiry (life time) which is not a recommended approach for security reasons. If it is created with one to two years validity (recommended approach) then operator must record the expiry time in his calendar and get it renewed before the current key gets expired.

For more details regarding configuration of Azure Key Vault with ADSS Server, refer to [ADSS-Server-Installation-Directory]/docs/Quick-Guide-for-Azure-Key-Vault-Configuration' document.