Azure Key Vault access permissions and key security

Question

I am developing a .NET application that uploads files to Azure Storage. I am leveraging client-side encryption as done in the tutorial at https://azure.microsoft.com/en-us/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/

The application works, ie I can successfully upload an encrypted blob to a selected storage account and container.

However, I have some concerns about the security of the RSA key. If the client application gets the key from Key Vault to use in the BlobEncryptionPolicy, that key could get compromised? The only thing the application really needs is the public key of the RSA pair, the private key should remain stored on the server (decrypting only happens by a trusted web app).

The other concern I have is that it is trivial for the AAD integration info to be obtained from the app.config. How does one work around that?

(note: the workstations on which the upload app will run are not necessarily trusted)

Answer 1

Some additional reading of the Azure Storage and Key Vault walkthrough document at https://azure.microsoft.com/en-us/documentation/articles/storage-encrypt-decrypt-blobs-key-vault/ has provided the answer:

"The Storage client itself never has access to KEK."

The KEK is the "Key Encryption Key" which encrypts the actual one-time-use symmetric encryption key used to encrypt the actual blob.

Answer 2

All you need is a public key to encrypt a random symmetric key and use that symmetric key to encrypt your data. The server process (Function or similar) has access to the private key used to decrypt the symmetric key, and then decrypt the blob. Access the the private key, held in KV, can be restricted using RBAC policy and applying a managed identity to the process that needs to read the private key.

Finally, the public key really should not be a naked key, it should be in a X.509 cert so you can verify the authenticity of the server end point.