Login/Register
Does Azure's Key Vault support symmetric key encryption?
Asked Answered
Solved node.jsaesencryption-symmetricazure-keyvault
G

1

7

I would appreciate clarification and advice on the following:

My project requires me to use symmetric data encryption (using AES), in a Nodejs environment, to secure data on a database (mongodb). Ideally, I would like to do this as follows:

Store the symmetric key in Azure Key Vault as a Key, then make 'encrypt' calls to the vault to perform AES encryption on the data with the Key. The encrypted data is sent in the response to my app and then stored in the database in its encrypted form.

I am confused after reading MS Azure's documentation and related blog posts, where some sources claim symmetric key encryption is supported, but there is no official documentation on this.

Can anyone advise whether this an exhaustive list of all key types and algorithms supported for Azure's Key Vault? https://msdn.microsoft.com/en-us/library/azure/dn903623.aspx#BKMK_KeyTypes

It also seems this may be an option (http://www.nuget.org/packages/Microsoft.Azure.KeyVault.extensions) but only for environments on .NET. Any love for Nodejs?

If indeed symmetric keys/encryption are not currently supported, can anyone offer an alternative means to my approach described above?

Thanks and much appreciated.

Grimbal answered 24/1, 2016 at 21:38 Comment(2)
Do you mean that you want Azure Key Vault to store the plaintext of the key in vault, and just response AES keys when you make 'encrypt' keys?Pustule
@Grimbal Was my answer what you were looking for or did I not understand your question?Platinocyanide
P
8

I agree the documentation/blogs do seem a little confusing on this topic. From my understanding the key vault does not yet currently support symmetric encryption. I believe the closest you can get is storing symmetric keys as secrets and using them outside of the vault.

This article talks about doing such. See the section where the heading is Use Key Vault secrets

I understand your using node.js and that example is in powershell just trying to illustrate the example of symmetric encryption with a secret. Obviously the crypto operations happen outside the vault. So, at rest the keys are more secure but do get exposed in memory anytime an operation occurs.

Hope that helps.

Here is an example in PowerShell of creating a secret in Key Vault that can be used as a SymmetricKey.

SymmetricKey sec = (SymmetricKey) cloudResolver.ResolveKeyAsync(
"https://contosokeyvault.vault.azure.net/secrets/TestSecret2/",
CancellationToken.None).GetAwaiter().GetResult();
Platinocyanide answered 29/1, 2016 at 14:41 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.