Azure Key Vault 中的密钥和机密有什么区别?
What is difference between Keys and Secrets in Azure Key Vault?
很高兴知道
- 它们是什么,
- 它们的用途
- 为什么一个人更喜欢一个而不是另一个。
一个非常简单的答案:
密钥
表示为 JWK 的加密密钥(JSON Web 密钥)
Example: store A .pfx certificate file that contains a pair of public & private keys
秘密
KV 接受任何值并将其存储为二进制(存在最大大小限制)
Example: A password or API key
进一步阅读
Key Vault 密钥:
Azure Key Vault 中的密钥 'Cryptographic keys' 用于加密信息而不将私钥发布给消费者 (users\Service)。它就像一个黑匣子,使用 RSA algotithm.
加密和解密内容。
RSA算法,涉及public密钥和私钥。 public key 大家都知道;它用于加密消息。使用 public 密钥加密的消息只能使用私钥解密。
场景:
Assume you have to store the customer CreditCard, the secure way to keep it in your DB is to store it encrypted, during the software design and
business requirements it is perfect clear that you should encrypt it,
what most people don't realize or don't bother is how you protect your
encryption keys, most of the time, stored as part of your software
configuration, if the attacker or employee has access to the key, the
information is not secure anymore.
Using key vault keys, you could send the CreditCard information to KeyVault and it will encrypt the information and return to the caller the enccrypted value.
On high performance scenarios, you could get the public key from KeyVault, use it for encrypting the information from Application side and store in DB already encrypted without sending the data to KV.
The only way to get the real data back would be sending the encrypted data to KV where it will return the decrypted CreditCard.
Key Vault 秘密
Azure Key Vault 中的机密是八位字节序列,每个序列的最大大小为 25kb。它被描述为八位字节,因为它不关心存储的数据类型,唯一的限制是 25kb 的大小。一旦您发送数据,它就会被加密并存储,如果您有权限,您可以随时检索它。它用于存储应用程序设置、令牌以及数据库连接字符串、密码等信息。
The good side of Key Vault Secrets is that you can use pre-defined rotation values defining the Expiration/NotBefore values. So you could register temporary values that will be rotated at specified periods, while the reader has access to the Key Vault with Get permission, they will be able to read the current ones only, while the future ones are already defined and not visible to the Get operation.
Azure Key Vault (KV) 可以存储 3 种类型的项目:(1) 秘密,(2) 密钥,& (3) 证书 (certs)。
Secrets - 提供秘密的安全存储,例如数据库连接字符串、帐户密钥或 PFX(私钥文件)的密码。授权应用程序可以检索用于其操作的秘密。更多关于 AZ KV Secrets
(加密)密钥 - 表示为 JWK 的密钥(JSON Web 密钥)。支持多种密钥类型和算法,并支持将硬件安全模块 (HSM) 用于高价值密钥。更多关于 AZ KV Keys
Cert - 是一种托管的 X.509 证书,它建立在密钥和机密之上,并添加了自动更新 feature/auto-rollover。更多关于 AZ KV Certificate
很高兴知道
- 它们是什么,
- 它们的用途
- 为什么一个人更喜欢一个而不是另一个。
一个非常简单的答案:
密钥
表示为 JWK 的加密密钥(JSON Web 密钥)
Example: store A .pfx certificate file that contains a pair of public & private keys
秘密
KV 接受任何值并将其存储为二进制(存在最大大小限制)
Example: A password or API key
进一步阅读
Key Vault 密钥:
Azure Key Vault 中的密钥 'Cryptographic keys' 用于加密信息而不将私钥发布给消费者 (users\Service)。它就像一个黑匣子,使用 RSA algotithm.
加密和解密内容。RSA算法,涉及public密钥和私钥。 public key 大家都知道;它用于加密消息。使用 public 密钥加密的消息只能使用私钥解密。
场景:
Assume you have to store the customer CreditCard, the secure way to keep it in your DB is to store it encrypted, during the software design and business requirements it is perfect clear that you should encrypt it, what most people don't realize or don't bother is how you protect your encryption keys, most of the time, stored as part of your software configuration, if the attacker or employee has access to the key, the information is not secure anymore.
Using key vault keys, you could send the CreditCard information to KeyVault and it will encrypt the information and return to the caller the enccrypted value. On high performance scenarios, you could get the public key from KeyVault, use it for encrypting the information from Application side and store in DB already encrypted without sending the data to KV. The only way to get the real data back would be sending the encrypted data to KV where it will return the decrypted CreditCard.
Key Vault 秘密
Azure Key Vault 中的机密是八位字节序列,每个序列的最大大小为 25kb。它被描述为八位字节,因为它不关心存储的数据类型,唯一的限制是 25kb 的大小。一旦您发送数据,它就会被加密并存储,如果您有权限,您可以随时检索它。它用于存储应用程序设置、令牌以及数据库连接字符串、密码等信息。
The good side of Key Vault Secrets is that you can use pre-defined rotation values defining the Expiration/NotBefore values. So you could register temporary values that will be rotated at specified periods, while the reader has access to the Key Vault with Get permission, they will be able to read the current ones only, while the future ones are already defined and not visible to the Get operation.
Azure Key Vault (KV) 可以存储 3 种类型的项目:(1) 秘密,(2) 密钥,& (3) 证书 (certs)。
Secrets - 提供秘密的安全存储,例如数据库连接字符串、帐户密钥或 PFX(私钥文件)的密码。授权应用程序可以检索用于其操作的秘密。更多关于 AZ KV Secrets
(加密)密钥 - 表示为 JWK 的密钥(JSON Web 密钥)。支持多种密钥类型和算法,并支持将硬件安全模块 (HSM) 用于高价值密钥。更多关于 AZ KV Keys
Cert - 是一种托管的 X.509 证书,它建立在密钥和机密之上,并添加了自动更新 feature/auto-rollover。更多关于 AZ KV Certificate