home.social

#keyvault — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #keyvault, aggregated by home.social.

  1. ⚠️ Azure Key Vault + AKS integration gotchas you NEED to know.

    From identity config to network policies — here's how to fix the most common integration failures.

    #Azure #AKS #KeyVault #Kubernetes #CloudSecurity
    🔗 devopstales.github.io/cloud/az

  2. Our company is setting up a #HashiCorp #Vault cluster in #Azure. It's currently set up to use #KeyVault auto-unseal.
    Our SOP for restoring the cluster in case of data corruption or failure is to shut down Vault and delete the data on all the instances, reinitialize on one instance, download a snapshot from Azure Storage to that instance, restore that snapshot with quorum forcing, and bring the other instances back online.
    #SRE #DevOps #DevSecOps (1/3)

  3. 312: Azure Firewall Finally Learns to Spell (FQDN Edition) "This was not the secret you were looking for..." – Azure, after leaking your KeyVault like a broken Death Star exhaust port. Trust in the cloud, you must. But audit your logs, you should. #thecloudpod #KeyVault #episode312 thecloudpod.net/?p=21154

  4. 312: Azure Firewall Finally Learns to Spell (FQDN Edition) "This was not the secret you were looking for..." – Azure, after leaking your KeyVault like a broken Death Star exhaust port. Trust in the cloud, you must. But audit your logs, you should. #thecloudpod #KeyVault #episode312 thecloudpod.net/?p=21154

  5. So I've been trying to figure out the answer to a theoretical problem: what would I do if I was in a foreign country and had my phone and laptop seized / stolen?

    I'm not too concerned about the shit on them, but nowadays everything is 2FA. Even my password manager needs second factor auth on a new device, and the second factor is email which... You guessed it needs a second factor. I feel like I'm one lost device from disaster.

    How do you go from zero to re-equipped with your logins without access to your own desk and devices?

    Would it be insane to post an encrypted binary blob in like a public git repo? Random webpage? What encryption would be sufficient to confidentiality drop an entire password vault, ssh keys, etc into a public space?

    (Encryption not my area of expertise)

    #2fa #encryption #passwords #keyvault #multifactor #backups #cybersecurity

  6. Now that the for has released v1.0.0, I have updated to it and released v1 of pkg.go.dev/github.com/heaths/a : a cryptography client for Key Vault and that not only makes it easier to call crypto operations but tries to first cache the public key and do public key operations locally to improve performance and help mitigate throttling.

    We have this in our other languages' SDKs but doesn't fit our design goals for , so I wrote it as a separate module.

  7. An upcoming talk by #security #researcher at the #BlackHat conference in August will talk about how attackers can leverage manipulated default guest account settings in #AzureAD, and promiscuous connections in #PowerApps to gain access to corporate #SQL servers, #SharePoint sites, #KeyVault secrets & more via an undocumented #API.

    #infosec #cybersecurity #azure #AzureAD #Entra #cloudsecurity

    https://www.darkreading.com/black-hat/azure-ad-guests-steal-data-microsoft-power-apps

  8. My github.com/heaths/azcrypto module for easy and crypto operations is now feature-complete and at parity with our other languages' crypto libraries. It now supports crypto operations locally using a JWK.

    Not likely to make it into our official azkeys SDK, but written to our same SDK guidelines.

    azkeys will GA soon, and once I upgrade my dependency I plan to GA this module.

  9. I've been working on a "business adjacent" project - as many of mine are - but for something that may one day be part of our for . Regardless of whether it gets included, I want it to feel like a first-party experience when used with our other client libraries. Given I'm part of the team, I'm coining(?) the phrase, "first-ex parte".

    See github.com/heaths/azcrypto for a cryptography client for or . It's basically the same as we have in other languages.

  10. 𝗛𝗼𝘄 𝘁𝗼 𝘀𝗲𝗰𝘂𝗿𝗲 𝗮 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻 𝗔𝗽𝗽?

    𝚂̲𝚎̲𝚌̲𝚞̲𝚛̲𝚎̲ ̲𝚘̲𝚙̲𝚎̲𝚛̲𝚊̲𝚝̲𝚒̲𝚘̲𝚗̲

    ➡️Defender for Cloud for assessment of potential configuration-related security vulnerabilities

    ➡️Log and monitor: diagnostic settings to configure streaming export of platform logs and metrics

    ➡️Require HTTPS

    ➡️Securing keys with Azure key Vault

    ➡️Enable App Service Authentication/Authorization

    ➡️Use Azure API Management (APIM) to authenticate requests

    ➡️Run your function app with the lowest possible permissions

    ➡️Store data encrypted

    𝚂̲𝚎̲𝚌̲𝚞̲𝚛̲𝚎̲ ̲𝚍̲𝚎̲𝚙̲𝚕̲𝚘̲𝚢̲𝚖̲𝚎̲𝚗̲𝚝̲

    ➡️Disable FTP

    ➡️Secure the scm endpoint

    𝙽̲𝚎̲𝚝̲𝚠̲𝚘̲𝚛̲𝚔̲ ̲𝚜̲𝚎̲𝚌̲𝚞̲𝚛̲𝚒̲𝚝̲𝚢̲

    ➡️Set access restrictions

    ➡️Secure the storage account

    ➡️Private site access with Azure Private Endpoint

    ➡️Deploy your function app in isolation configuring a Web Application Firewall (WAF) for App Service Environment.

    More details: learn.microsoft.com/en-us/azur

    #security #azure #cloud #data #management #streaming #functionapp #serverless #waf #appservice #privateendpoint #networksecurity #securedeployment #apim #ftp #keyvault #key #vulnerability #assessment #misconfiguration #encryption #storage #storageaccount #defender #defenderforcloud #cnapp #cspm #cwpp #microsoft #microsoftsecurity #cloudsecurity #cloudnative #siem #monitoring #soc

  11. 𝗛𝗼𝘄 𝘁𝗼 𝘀𝗲𝗰𝘂𝗿𝗲 𝗮 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻 𝗔𝗽𝗽?

    𝚂̲𝚎̲𝚌̲𝚞̲𝚛̲𝚎̲ ̲𝚘̲𝚙̲𝚎̲𝚛̲𝚊̲𝚝̲𝚒̲𝚘̲𝚗̲

    ➡️Defender for Cloud for assessment of potential configuration-related security vulnerabilities

    ➡️Log and monitor: diagnostic settings to configure streaming export of platform logs and metrics

    ➡️Require HTTPS

    ➡️Securing keys with Azure key Vault

    ➡️Enable App Service Authentication/Authorization

    ➡️Use Azure API Management (APIM) to authenticate requests

    ➡️Run your function app with the lowest possible permissions

    ➡️Store data encrypted

    𝚂̲𝚎̲𝚌̲𝚞̲𝚛̲𝚎̲ ̲𝚍̲𝚎̲𝚙̲𝚕̲𝚘̲𝚢̲𝚖̲𝚎̲𝚗̲𝚝̲

    ➡️Disable FTP

    ➡️Secure the scm endpoint

    𝙽̲𝚎̲𝚝̲𝚠̲𝚘̲𝚛̲𝚔̲ ̲𝚜̲𝚎̲𝚌̲𝚞̲𝚛̲𝚒̲𝚝̲𝚢̲

    ➡️Set access restrictions

    ➡️Secure the storage account

    ➡️Private site access with Azure Private Endpoint

    ➡️Deploy your function app in isolation configuring a Web Application Firewall (WAF) for App Service Environment.

    More details: learn.microsoft.com/en-us/azur

    #security #azure #cloud #data #management #streaming #functionapp #serverless #waf #appservice #privateendpoint #networksecurity #securedeployment #apim #ftp #keyvault #key #vulnerability #assessment #misconfiguration #encryption #storage #storageaccount #defender #defenderforcloud #cnapp #cspm #cwpp #microsoft #microsoftsecurity #cloudsecurity #cloudnative #siem #monitoring #soc

  12. Full and support is now available in github.com/heaths/azcrypto for . I'm consider AES support, but still researching AES in . The APIs I'm familiar with in are significantly different so it may be a while, and AES is limited to anyway.

  13. Since the for 's philosophy is thin, mostly generated clients - which I don't disagree with - I built a client atop it much like I helped drive in our other SDK languages and wrote for the SDK for .NET: github.com/heaths/azcrypto

    It's very early in development right now - supporting only sign and verify - but is an MVP enough to get some feedback from my team or anyone else who may be interested.

  14. TIL: #Azure #LogicApps (used for automations in the #Sentinel #SIEM system) will log all inputs and outputs in plaintext, including if you pull secrets from #KeyVault. To prevent this, go to the settings of the block and set the inputs/outputs to secure (also do this for any block that consumes sensitive information).

    Why this isn't the default for a function whose sole purpose is to pull sensitive information from a Vault, I don't know. At least the affected key was easy enough to rotate.