在 Azure 中安全地存储 oAuth 令牌
Securely storing oAuth Tokens in Azure
我正在构建一项服务,允许用户使用不同的身份提供者。一旦用户通过提供商进行身份验证,我需要存储令牌以便我可以代表他们进行调用。
我的问题是关于在 Azure 中安全地存储此令牌。
我认为最佳人选是:
- 在 Azure SQL 中使用 Always Encrypted 存储令牌。存储加密密钥
在 Azure Key Vault 中。
- 在 Azure Key Vault 中秘密存储令牌。
我是否忘记了任何其他安全存储令牌的选项?对哪种方法更好有什么建议吗?
您可以通过将令牌作为秘密直接存储在 Key Vault 中来减少攻击面。
您可能还有其他访问 SQL 实例但不需要访问 Key Vault 的应用程序,因此 Key Vault 网络访问可能比您的 SQL 服务器更严格地锁定.
Azure SQL 信息保护怎么样?可从 Azure 门户进行管理,具有很大的灵活性。您甚至可以监控您的 table 并向 table 授予特定权限:
https://azure.microsoft.com/nl-nl/blog/information-security-policy-in-asc/
但是对于您的情况,我认为使用密钥保管库是最佳选择,因为它是为此目的而构建的。
值得注意的是 KeyVault 的服务限制:
Secrets, managed storage account keys, and vault transactions: 2,000
Maximum transactions allowed in 10 seconds, per vault per region
所有事务类型的订阅范围限制是每个密钥保管库限制的五次。例如,每个订阅的 HSM-other 事务限制为每个订阅 10 秒内 5,000 个事务。
具体可以在这里找到:Azure Key Vault service limits
根据您的可扩展性目标,您可能还希望考虑 Cosmos DB:
Cosmos DB 并不便宜,但它的可扩展性很强并且支持静态加密。
Encryption at rest is a phrase that commonly refers to the encryption
of data on nonvolatile storage devices, such as solid state drives
(SSDs) and hard disk drives (HDDs). Cosmos DB stores its primary
databases on SSDs. Its media attachments and backups are stored in
Azure Blob storage, which is generally backed up by HDDs. With the
release of encryption at rest for Cosmos DB, all your databases, media
attachments, and backups are encrypted. Your data is now encrypted in
transit (over the network) and at rest (nonvolatile storage), giving
you end-to-end encryption.
As a PaaS service, Cosmos DB is very easy to use. Because all user
data stored in Cosmos DB is encrypted at rest and in transport, you
don't have to take any action. Another way to put this is that
encryption at rest is "on" by default. There are no controls to turn
it off or on. Azure Cosmos DB uses AES-256 encryption on all regions
where the account is running. We provide this feature while we
continue to meet our availability and performance SLAs.
https://docs.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest
我正在构建一项服务,允许用户使用不同的身份提供者。一旦用户通过提供商进行身份验证,我需要存储令牌以便我可以代表他们进行调用。
我的问题是关于在 Azure 中安全地存储此令牌。
我认为最佳人选是:
- 在 Azure SQL 中使用 Always Encrypted 存储令牌。存储加密密钥 在 Azure Key Vault 中。
- 在 Azure Key Vault 中秘密存储令牌。
我是否忘记了任何其他安全存储令牌的选项?对哪种方法更好有什么建议吗?
您可以通过将令牌作为秘密直接存储在 Key Vault 中来减少攻击面。
您可能还有其他访问 SQL 实例但不需要访问 Key Vault 的应用程序,因此 Key Vault 网络访问可能比您的 SQL 服务器更严格地锁定.
Azure SQL 信息保护怎么样?可从 Azure 门户进行管理,具有很大的灵活性。您甚至可以监控您的 table 并向 table 授予特定权限: https://azure.microsoft.com/nl-nl/blog/information-security-policy-in-asc/
但是对于您的情况,我认为使用密钥保管库是最佳选择,因为它是为此目的而构建的。
值得注意的是 KeyVault 的服务限制:
Secrets, managed storage account keys, and vault transactions: 2,000 Maximum transactions allowed in 10 seconds, per vault per region
所有事务类型的订阅范围限制是每个密钥保管库限制的五次。例如,每个订阅的 HSM-other 事务限制为每个订阅 10 秒内 5,000 个事务。
具体可以在这里找到:Azure Key Vault service limits
根据您的可扩展性目标,您可能还希望考虑 Cosmos DB:
Cosmos DB 并不便宜,但它的可扩展性很强并且支持静态加密。
Encryption at rest is a phrase that commonly refers to the encryption of data on nonvolatile storage devices, such as solid state drives (SSDs) and hard disk drives (HDDs). Cosmos DB stores its primary databases on SSDs. Its media attachments and backups are stored in Azure Blob storage, which is generally backed up by HDDs. With the release of encryption at rest for Cosmos DB, all your databases, media attachments, and backups are encrypted. Your data is now encrypted in transit (over the network) and at rest (nonvolatile storage), giving you end-to-end encryption.
As a PaaS service, Cosmos DB is very easy to use. Because all user data stored in Cosmos DB is encrypted at rest and in transport, you don't have to take any action. Another way to put this is that encryption at rest is "on" by default. There are no controls to turn it off or on. Azure Cosmos DB uses AES-256 encryption on all regions where the account is running. We provide this feature while we continue to meet our availability and performance SLAs.
https://docs.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest