一个更安全的方式来使用密钥库 [英] A more secure way to use key vault

问题描述

通常，当你用钥匙金库进行加密和解密，你必须保持你的AD注册应用程序的（即有权访问关键金库授权）客户端ID和ClientSecret以纯文本的地方的数据。这似乎是一个安全问题，如果有人偷了ClientID的秘密和任何人都可以声称他们是已注册的应用程序。

Usually when you use key vault to encrypt and decrypt data you have to keep your AD registered app's (that has the authorization to access key vault) ClientID and ClientSecret in plain text somewhere. This seems like a security problem if someone steals the the ClientID and Secret anyone can claim they are the registered app.

有或能有一个更安全的方法？

Is there or can there be a more secure approach?

推荐答案

您可以使用证书，而不是验证一个秘密。

You can use a certificate to authenticate instead of a secret.

有三件事情你需要为这个方法做的：

There are three things you need to do for this approach:

1. 创建使用证书。


2. 当创建一个将用于访问密钥库中的Active Directory应用程序，需要您在步骤1中创建，我不认为你可以通过在一分钟门户网站做的证书中通过，所以你会需要使用新AzureRMADApplication 的PowerShell命令。


3. 验证到关键保管库时使用该证书。你需要使用AuthenticationContext.AcquireTokenAsync的）一个过载（一个接收ClientAssertionCertificate方法来做到这一点。可以创建通过传递客户端ID和X509Certificate2 一个ClientAssertionCertificate。

1. Create a certificate to use.
2. When creating the Active Directory application that you will use to access the Key Vault, you need to pass in the certificate you created in step 1. I don't think you can do this through the portal at the minute, so you'll need to use the New-AzureRMADApplication PowerShell command.
3. Use that certificate when authenticating to Key Vault. You'll need to use an overload of the AuthenticationContext.AcquireTokenAsync() method that receives a ClientAssertionCertificate to do that. You can create a ClientAssertionCertificate by simply passing the client id and the X509Certificate2.

这的博客文章你可以得到一些些code的前两个步骤。

From this blog post you can get some some code for the first two steps.

这篇关于一个更安全的方式来使用密钥库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！