Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Azure KeyVault client should support SecureStrings

See original GitHub issue

Although it is unlikely an app inside of Azure would be compromised at the process memory level, it still would be nice if the Key Vault client supported returning a SecureString for the value of the secret.

var secret = await _keyVaultClient.GetSecretSecureAsync(secretId);

var value = secret.SecureValue;

Issue Analytics

  • State:closed
  • Created 8 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
daviburgcommented, Feb 26, 2019

@kamranayub We have certainly considered this, however it might simply be theatre; the AKV SDK is built on a number of layers, including .NET HttpClient, the Hyak layer, JSON.NET and each of these “touch” requests and responses in one or more ways, as either byte[] or string, in the process’ memory. As you note, today, you should consider the process to be the security boundary and secure it appropriately.

Dear colleague, layered security principle is that security risk mitigations complement each other, rather than the argument that o-well-other-layers-didn’t-plug-the-hole-so-why-would-we? If the assemblies you are using don’t have native support for SecureString serialization, that’s exactly where you Key Vault as a service for secrets need to pass them only an encrypted payload which when you do decrypt is kept immediately in a SecureString (CryptoStream byte by byte to SecureString followed by dispose to purge the buffers from memory).

1reaction
danutzpluspluscommented, Nov 16, 2018

Also, what’s even more interesting is that the DocumentClient (for cosmosdb) constructor accepts the masterKey as a SecureString. Is there a different way of getting the cosmos masterKey as a SecureString that I’m missing? (from Azure Key Vault, I mean). Not locally via Service Fabric.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Best practices for using Azure Key Vault
Encryption keys and secrets like certificates, connection strings, and passwords are sensitive and business critical. You need to secure access ...
Read more >
Azure Key Vault security overview
Azure Key Vault protects cryptographic keys, certificates (and the private keys associated with the certificates), and secrets (such as ...
Read more >
How to get a SecureString out of an Azure KeyVault - C# - ...
2 Answers. For anyone else checking this, it is not possible to directly get a SecureString out of an Azure KeyVault. So not...
Read more >
What is Azure Key Vault?
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control...
Read more >
Securing Secrets Using Azure Key Vault and Config ...
When the Key Vault client supports returning SecureStrings , you could use that to protect secrets in memory; Rotate encryption keys every so ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Unable to deploy using ARM template by passing the content of the json file.

Next page

ARM template deployment does not work when Parameter property is used