Secrets management using Azure Managed HSM
Using Managed HSM to wrap secrets stored in Key Vault
Has being compliant with FIPS 140-2 ever struck fear in your soul? Recently, a customer asked about implementing Azure services that had keys and secrets backed by a FIPS 140-2 Level 3 validated cryptographic module. All of a sudden, I found myself back at RSA in a secured data-center rotating keys on an nCipher Hardware Security Module (HSM) (if you know, you know). In this blog post, I share my design and example scripts for a solution that met the customer’s compliance requirements.
Azure Key Vault (AKV) is an Azure managed service that provides secrets, key, and certificate management. For those reading with AWS expertise, Key Vault provides the same functionality as Key Management Service (KMS) and Secrets Manager. Last fall, Microsoft released the Azure Key Vault Managed HSM to public preview enabling the use of FIPS 140-2 Level 3 validated HSMs. This announcement was a huge surprise to me due to the intensity of the validation required to meet level 3. For those interested, the hardware supporting is manufactured by Marvell and validated as of 2020-SEP-29.
While in preview, the managed HSM only supports key management leaving secrets management as an exercise for the user. For my customer’s case, this was the challenge. How do we comply to the requirement for secrets with the limitation?
My solution came from the industry standard of using a Key Encryption Key (KEK) for data storage and transmission. It’s a well defined pattern that minimizes risk with as little overhead as possible. I drew up a workflow that used keys managed in the HSM to wrap the secrets.
In this diagram, the steps identify the wrapping and adding of the encrypted secret into AKV.
- The client retrieves the Secret Encryption Key (SEK) from the managed HSM in Azure. For this workflow, the client pulls the secret down to perform the encryption of the secret but to mitigate exposure, a small wrapper service can be deployed to perform the cryptographic operations on the secret without exposing the SEK.
- The client uses the SEK to encrypt the plaintext secret (s1). As mentioned above, for this workflow the client is responsible for the encryption using the key but this can be modified to prevent key exposure.
- The client pushes the wrapped key sek(s1) to AKV.
This workflow represents the steps to encrypt and store a secret using an HSM managed key. As mentioned in the steps, this workflow is a demonstration and should be modified to prevent key exposure.
The following section provides an example of each step in the above process through shell command execution. The listed commands are to provide a point of reference for your own implementation of the solution.
The prerequisite assumes that the Azure Managed HSM Quickstart and the Azure Key Vault Quickstart are completed.
- In this step, we create the Secret Encryption Key (SEK) in the managed HSM explicitly defining the operations and the key size.
1
2
3
4
# Create secret encryption key
az keyvault key create --hsm-name [hsm-name] --name sek \
--kty RSA-HSM --ops encrypt decrypt \
--protection hsm --size [key-size]
- In this step, we encrypt the plaintext secret (s1) using the SEK
1
2
3
4
# Encrypt secret with HSM key
az keyvault key encrypt --hsm-name [hsm-name] --name sek \
--algorithm RSA-OAEP --data-type plaintext \
--value [plaintext_secret]
- In this step, we store the encrypted secret sek(s1) in the Azure Key Vault
1
2
3
4
5
# Store secret in keyvault vault
az keyvault secret set --name [secret-name] \
--vault-name [vault-name] \
--encoding base64 \
--value [ciphertext from above]
- In this step, we retrieve the encrypted secret from the keyvault vault and decrypt it using the SEK from the managed HSM
1
2
3
4
5
6
# Decrypt secret using key from managed HSM
az keyvault key decrypt --hsm-name [hsm-name] --name sek \
--algorithm RSA-OAEP --data-type plaintext \
--value \
`az keyvault secret show --name [secret-name] \
--vault-name [vault-name] --query value --output tsv`
This workflow provides a foundation to implement a secrets management solution that requires FIPS 140-2 Level 3 HSM backed keys in Azure. Using a combination of the managed HSM and Key Vault services provides a balance between security and cost. As mentioned above, building a simple service to perform the cryptographic operations on the managed secret will improve the overall security posture of the solution. In addition, management of the SEK lifecycle should be considered.
Tweet to @kriation