A safer way to use key storage

Question

A safer way to use key storage

Usually, when you use the key store to encrypt and decrypt data, you should save your registered AD application (with authorization to access the key store) ClientID and ClientSecret in plain text. This seems like a security issue if someone steals the ClientID and Secret, and anyone can claim to be a registered application.

Is there or can be a safer approach?

+4

azure azure-keyvault

Kamal Rathnayake Jan 4 '16 at 10:40

source share

2 answers

KeyVault, Azure Managed Service Identity Azure . : Azure VM, Azure App Service, Azure Function, Azure Event Hub Azure Service Bus. https://docs.microsoft.com/en-us/azure/active-directory/msi-overview

[ ] - KeyVault, Azure MSI . AzureServiceTokenProvider()

(, Ansible) Ansibe Vault 256- . . Azure.

0

Thuan Ng 08 . '18 12:00

charisk · Accepted Answer · 2016-01-04T12:27:04+0000

You can use a certificate for authentication instead of secret.

For this approach, three things must be done:

.
Active Directory, , , 1. , , 'll New-AzureRMADApplication PowerShell.
Key Vault. AuthenticationContext.AcquireTokenAsync(), ClientAssertionCertificate . ClientAssertionCertificate, X509Certificate2.

.

A safer way to use key storage

More articles: