azure


Azure Key Vault access permissions and key security


I am developing a .NET application that uploads files to Azure Storage. I am leveraging client-side encryption as done in the tutorial at https://azure.microsoft.com/en-us/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/
The application works, i.e. I can successfully upload an encrypted blob to a selected storage account and container.
However, I have some concerns about the security of the RSA key. If the client application gets the key from Key Vault to use in the BlobEncryptionPolicy, that key could get compromised? The only thing the application really needs is the public key of the RSA pair, the private key should remain stored on the server (decrypting only happens by a trusted web app).
The other concern I have is that it is trivial for the AAD integration info to be obtained from the app.config. How does one work around that?
(note: the workstations on which the upload app will run are not necessarily trusted)
Some additional reading of the Azure Storage and Key Vault walkthrough document at https://azure.microsoft.com/en-us/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/ has provided the answer:
"The Storage client itself never has access to KEK."
The KEK is the "Key Encryption Key" which encrypts the actual one-time-use symmetric encryption key used to encrypt the actual blob.

Related Links

Getting Roles for Group Membership Azure AD
Azure SQL Database Auditing Data Access
Understanding Azure SQL Performance
Why is clock synchronization on servers difficult?
What is the order of the messages in a Azure Service Bus queue if I send them asynchronously?
WebJob run failed due to: System.Threading.ThreadAbortException: Thread was being aborted
Azure alerts not being sent out
How can I track a scheduled notification in Azure Notification Hub?
Semantic logging In-Proc and Out-Proc
Rich ACLs with Azure Storage - delegating to AD?
Use azure media service / server with xamarin
Azure's CloudContext.Clients.Create????ManagementClient methods deprecated?
ProjectServer 2013 REST APIs with Windows Azure Access Token
Issue in azure search result when use both search keyword and Orderby clues
Azure portal - delete database server [closed]
Azure DocumentDb Consistency level suggestion

Categories

HOME
ios
ssis
wix
clojure
google-search
azure-search
servlets
word-vba
datetime
twitter-digits
normalization
active-directory
c++14
hadoop2
push
session-cookies
axure
coreos
html5-video
libssh
nsmutableattributedstring
stm32f4discovery
collision
nintex-workflow
broker
ssms-2014
epicorerp
smallbasic
vnc
mathdotnet
dsl
c++builder-5
dapper-fastcrud
json-c
charts.js
nest-thermostat
cloudinary
html-select
imageshack
edit-distance
nav
double-click-advertising
runge-kutta
ipod-touch
syncfusion
rtems
program-slicing
appdynamics
default-browser
jquery-masonry
formstack
fasta
kie-workbench
sscanf
hard-drive-failure
cglib
heritrix
target-platform
uiswitch
lidar
post-processor
openocd
tun
node-orm2
bloodhound
android-print-framework
wso2as
mks
tab-delimited
repaint
ratingbar
pkcs#10
magento-1.6
preon
batman.js
confirmation
couchrest
programmers-notepad
sugar.js
rcu
webcal
kmz
asp.net-authentication
google-chrome-frame
argumentexception
guice-servlet
hogan.js
word-2010
cassette
applaud
maven-bundle-plugin
objcopy
f2c
program-transformation
n900
custom-protocol
executescalar
network-scan
xml-database
dynamic-websites
drwatson
cracker
non-relational-database
development-machine
variable-names
plumtree

Resources

Mobile Apps Dev
Database Users
javascript
java
csharp
php
android
MS Developer
developer works
python
ios
c
html
jquery
RDBMS discuss
Cloud Virtualization
Database Dev&Adm
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App