Azure Key Vault Protecting Certificate

Question

Hey I'm wanting to use Azure Key Vault to encrypt/decrypt data in my DB. A Major issue I see that myself and other people are struggling with is how to protect the access id and key in your program. I see people are saying if you don't have a native Microsoft application (which I don't, mine is running on a third party linux server), you could get a certificate to access the key vault. Before I cough up the $200 to purchase that, I want to know that having that certificate means even if the certificate is stolen, attackers couldn't use it to access the key vault right? My understanding is that the certificate would only work on my domain correct?

I read this from an article I found online at https://kamranicus.com/posts/2016-02-20-azure-key-vault-config-encryption-azure :

Instead of using the default authentication to Azure AD, a "client ID" and "secret token", we will actually provide a secure X.509 certificate that we'll upload to Azure. Since you can't download the certificate from Azure or access the private key, it will authenticate your application without exposing the key to your vault in a config or portal interface.

So what I gather from this quote is:

• The certificate is secure and cannot be stolen (unless you break into Microsoft Azure of course)
• My site and only my site will be able to access the key vault using the certificate
• If a user gains access to my code or my site they won't have what they need to access the key vault

Thanks

Answer 1

Basically using a certificate considered to be more secure than using a key for accessing to any Azure service.

This means that the authentication is performed given a certificate and signed authentication challenge (using the private key of the associated certificate)

Given the assumption that the private key is stored exclusively on the machine that runs the app, the attacker must get access to that machine in order to extract the associated private key (or to use it directly from the compromised machine).

In addition, Azure introduced a newer method to authenticate to the Azure services using Managed Service Identity which is considered to be more secure since the authentication is bounded to the specified machine and is managed at the Azure level (not in the code nor in the machine, but has to be an Azure machine) You can read about it here

As for the main purpose (encrypt the DB), you can do it in several ways:
1. Column level encryption
2. Encryption at rest (ie TDE)

Azure key vault supports both operations. By the way, if the only purpose of the certificate is to authenticate to Azure, you can use self-signed certificate instead of purchasing one.