Key Management in Windows Azure

Question

I'm a bit confused about how to store keys (for data encryption) in Windows Azure.

According to the following two links (#1, #2), it is recommended to store the keys/key library in the Windows Azure Storage:

Storing your own key library within the Windows Azure Storage services is a good way to persist some secret information since you can rely on this data being secure in the multi-tenant environment and secured by your own storage keys.

But the "Security Best Practices For Developing Windows Azure Applications" (#3) recommends NOT to store any key related material in Windows Azure:

Also, developers should not upload the key or any keying material to Windows Azure Storage, regardless of how careful they are about hiding it. If any computer or storage services were compromised, it could lead to encryption keys being exposed.

What is the best approach to store keys for encryption in Windows Azure?

Answer 1

The Azure Key vault service that has been released recently might be a perfect fit for the problem. This has been introduced so that keys can be managed in a central place and access can be easily controlled. It also supports HSM-backed service making it very secure.

Here is a artice on Getting Started with Azure Key Vault

Answer 2

For future Googlers - I've implemented the solution that Stuart Pegg describes above, but decoupled from Azure Tables.

See https://www.fasterweb.io/Blog/two-way-encryption-for-azure-web-roles for a writeup, or https://gist.github.com/strommen/20905504949072fe5e16 for just the code.

Answer 3

I know that this may be a bit late, but if anyone is looking for a quick and easy implementation of encryption for Azure Websites, I've created a (Azure.Security and the source code is currently on GitHub. The project is loosely based on the Codeplex: Azure Table Encryption via Attribute project but it is a lot more straightforward and easy to use. A blog post will follow shortly with instructions on how to set it up and use it.

Answer 4

You'll see from my comment in that first link that I agree with your concerns. :)

Azure has no secure way of storing keys other than it's own Certificate Storage. Here is an article on using this method:

Field Note: Using Certificate-Based Encryption in Windows Azure Applications

You'll notice I've also commented on that article's shortcomings too, linking to this question:

Read azure ServiceConfiguration file's certificate section using c#

An example of using Azure's built in certificate storage to encrypt AES keys (avoiding the RSA restrictions on encrypted data length, while keeping the AES key secure) can be found in this project:

Codeplex: Azure Table Encryption via Attribute

The SymmetricKeyHelper class in the EncryptDecrypt project is of particular interest.

Kudos to @breischl for mentioning it, and for his contributions to the project.

Answer 5

There’s always a risk. If someone gains access to your storage account using any means (such as using a tool), they may be able to find out your key. So in the end, it is needed to protect the storage account itself from accessed by unauthorized access.

For example, please do not allow a developer to access the production storage account. This includes don’t allow them to access the account using tools. Please protect the storage account key and do not leak any information in any application.

Only storage administrators (and developers who you 100% trust) can have full access to the production storage account. Then you’re safe to store the key in your storage account.