azure


Azure Key Vault access permissions and key security


I am developing a .NET application that uploads files to Azure Storage. I am leveraging client-side encryption as done in the tutorial at https://azure.microsoft.com/en-us/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/
The application works, i.e. I can successfully upload an encrypted blob to a selected storage account and container.
However, I have some concerns about the security of the RSA key. If the client application gets the key from Key Vault to use in the BlobEncryptionPolicy, that key could get compromised? The only thing the application really needs is the public key of the RSA pair, the private key should remain stored on the server (decrypting only happens by a trusted web app).
The other concern I have is that it is trivial for the AAD integration info to be obtained from the app.config. How does one work around that?
(note: the workstations on which the upload app will run are not necessarily trusted)
Some additional reading of the Azure Storage and Key Vault walkthrough document at https://azure.microsoft.com/en-us/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/ has provided the answer:
"The Storage client itself never has access to KEK."
The KEK is the "Key Encryption Key" which encrypts the actual one-time-use symmetric encryption key used to encrypt the actual blob.

Related Links

Move files between azure file share and blob
Adding additional NICs to a Virtual Machine in Azure?
Is Azure Blob storage the right place to store many (small) communication logs?
Azure Data Factory - Use GetRunRecord(runid) to get complete Error Details
Azure Stream Analytics: Specified cast is not valid
Azure AD Connect in two Office 365 tenants
Get Active Directory Value from external AD
DocumentDB how to reduce RU's for request
Azure AD Enterprise application not showing 'automatic' provisioning mode
Wildcards in counter specifiers in Azure Diagnostic
Azure-Functions: How to serve content from the root of domain
Visual studio build error 2015 using microsoft azure sql database v12
Error publishing to Azure cloud service with osFamily=5
Azure vmss without a load balancer
Visual Studio publish to azure existing apps error
Can ApplicationInsights track events across many WebApps/LogicApps/etc?

Categories

HOME
ios
regex
apt-get
watson
bolt-cms
styling
xamarin.forms-listview
normalization
oracle-adf
android-dialer
restsharp
wget
asp.net-mvc-3
clion
intl
cross-compiling
command-line-interface
ellipse
message
android-dialogfragment
lookup-tables
aerospike
rational
exe4j
textmatebundles
pwm
similarity
easendmail
sax
precision
grouping
paket
codewarrior
reformatting
silverlight-5.0
rdf4j
pymysql
ose
jformattedtextfield
jdom-2
protobuf-3
rating
php-5.5
textangular
android-calendar
requirements-management
multisite
typesetting
jce
waf
jeditorpane
angular2-rc5
sound-synthesis
turnjs
file-management
insert-update
finalcut
lidar
wgs84
ubiquity
axlsx
netbsd
realm-list
wss4j
ppl
pegkit
error-log
odoo
isql
simpleadapter
physx
gdk
prettyfaces
subdirectory
notifydatasetchanged
data-quality
xsltforms
requiredfieldvalidator
tlb
dfsort
xcode4.2
chromeless
java-ee-5
wescheme
lungojs
ariatemplates
google-profiles-api
hpple
obout
ms-access-97
cellphone
ramaze
datatemplate
facebook-authentication
ssao
xmltextwriter
replay
servletunit
chickenfoot
msn-messenger
drwatson
usenet
reference-library

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App