Cloud Computing

Using Azure Key Vault to Encrypt Data in the Cloud

Azure Key Vault gives organizations access to Hardware Security Module (HSM) appliances in the cloud, providing the ability to better secure VMs and SQL Server data. In this Ask the Admin, I’ll look at some of the potential use scenarios.

Security is often cited as the primary concern for organizations looking to move data to the cloud. But if carefully planned, cloud solutions can provide a secure platform on which to host corporate data. At the end of 2014, Microsoft released Azure Key Vault in public preview to several regions, providing scalable and secure Hardware Security Module (HSM) appliances in the cloud, giving customers access to a technology which can sometimes be costly to implement on premise.

Azure Key Vault

Using FIPS-validated HSMs, Azure Key Vault provides a cryptographic key management service that can be used to store encryption keys or other sensitive information, like passwords and SQL connection strings. Case uses include storing sensitive password information for your line-of-business applications running in the cloud, improving SQL Server encryption, and full-boot volume BitLocker encryption for Azure virtual machines.

Encrypting Data in the Cloud with Azure Key Vault
In an Azure Key Vault, an admin can create and manage keys and vaults via his Azure subscription. (Image Credit: Microsoft)

Azure Key Vault allows organizations to separate encryption keys, operations, development and auditing duties, for applications running on premise and in the cloud. Rather than embed secrets in applications, which might expose them to operations staff and developers, only applications and host VMs are able to see generic secrets, such as SQL connection strings. Extra protection is provided if an app needs access to an encryption key: it calls the Azure Key Vault service, and the cryptographic operation is performed for the app without the key ever being revealed.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

Encrypting VMs

Microsoft doesn’t support BitLocker in the cloud, because there’s no way to access Trusted Platform Modules (TPMs), which are required to store encryption keys. However, CloudLink SecureVM can enable boot volume encryption and a fully automated boot cycle, utilizing Azure Key Vault if VMs are located in the cloud; or RSA Data Protection Manager or Active Directory to store encryption keys in hybrid/private cloud scenarios.

CloudLink Center is a virtual appliance that can be configured to use Azure Key Vault as its key store. A small agent is deployed to each VM and boot volumes. Additional volumes can be encrypted with BitLocker from CloudLink Center, if required. Apart from specifying the IP addresses of the VMs to be encrypted in CloudLink Center, no other configuration is required to get the solution working. Linux VMs are also supported, utilizing native encryption technology.

SQL Server Encryption

Azure Key Vault can be used in conjunction with SQL Server Extensible Key Management (EKM), which provides extra protection for keys used with Transparent Data Encryption (TDE), Column Level Encryption (CLE), and encrypted backup — three technologies used to protect SQL data at rest. TDE encrypts data and log files, and CLE is used to encrypt columns of data.

Extensible Key Management provides a means of protecting SQL Server’s symmetric data encryption keys, used for bulk data encryption, with an asymmetric key stored in an external cryptographic provider, giving organizations greater flexibility in managing keys and data by clearly delineating administrative duties. SQL Server Connecter can be downloaded from the Microsoft Download Center and is used to connect SQL to Azure Key Vault. Not only can Azure Key Vault be used to provide protection for SQL Server encryption keys in the cloud, but also to protect on premise SQL workloads.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: