Azure Key Vault provides a secure storage solution for sensitive information such as cryptographic keys, secrets, and certificates. Key rotation is a key management feature in Azure Key Vault that allows you to periodically replace (rotate) cryptographic keys, which is essential for maintaining security best practices and protecting against key compromise.
This guide will help you understand key rotation in Azure Key Vault, including its functions, features, and steps for manual rotation as well as an automated approach using Azure Functions.
1. Overview of Azure Key Vault Key Rotation
What is Key Rotation?
Key rotation is the process of periodically replacing a cryptographic key with a new version while ensuring that applications continue to operate without interruption. Regular key rotation limits the amount of data exposed if a key is compromised and adheres to best security practices.
Key Benefits and Features
- Enhanced Security: Rotating keys reduces the risk of exposure if a key is compromised.
- Compliance: Many security standards require regular key rotation (e.g., PCI-DSS, HIPAA).
- Automatic Key Versioning: Each rotated key in Azure Key Vault is saved as a new version, preserving previous key versions.
- Scheduled and Manual Rotation: You can configure automatic rotation with Key Vault policies or manually rotate keys on demand.
2. Creating a Key in Azure Key Vault
Before rotating a key, let’s first create one in Azure Key Vault.
Step-by-Step: Creating a Key
- Navigate to Key Vault in the Azure Portal:
- Go to the Azure Portal.
- Search for Key Vaults and select your Key Vault instance.
- Add a New Key:
- In the left panel, select Keys > + Generate/Import.
- Fill in the following details:
- Name: Choose a name for the key (e.g.,
MyEncryptionKey). - Key Type: Select RSA or EC (Elliptic Curve).
- Key Size: Choose an appropriate size (e.g., 2048 bits for RSA).
- Activation Date: Set the key’s start date (optional).
- Expiration Date: Set an expiration date (optional).
- Name: Choose a name for the key (e.g.,
- Create Key:
- Click Create to generate and store the key in Azure Key Vault.
3. Configuring Key Rotation in Azure Key Vault
You can configure key rotation either manually or using automated methods.
Manual Key Rotation
In a manual rotation, you rotate the key by creating a new version of it whenever required. Manual rotation is useful if you want complete control over the timing of key updates.
Step-by-Step Guide to Manually Rotate a Key
- Go to Key Vault in the Azure Portal:
- Open your Key Vault instance and select Keys.
- Select the Key to Rotate:
- Click on the key you created (e.g.,
MyEncryptionKey). - You’ll see a list of all versions under Current Version.
- Generate a New Version:
- Click + New Version.
- Specify settings for the new version (key size, expiration date, etc.) if different from the original.
- Click Create to generate the new version.
- Update Application to Use the New Version:
- After rotation, ensure that any applications using this key retrieve the latest version. In most cases, applications using the latest version of the key will automatically access the updated key if configured to use the key name rather than a specific version.
Example of Key Usage in Code
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
# Configure Azure Key Vault and Key
vault_url = "https://<your-key-vault-name>.vault.azure.net"
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=vault_url, credential=credential)
# Retrieve the latest version of the key by using the key name only
key = key_client.get_key("MyEncryptionKey")
print("Using key:", key.name, "Version:", key.properties.version)Monitoring Key Rotation
- Enable Azure Monitor:
- In Key Vault > Diagnostics settings, enable logging and send logs to Log Analytics or Azure Monitor.
- You can track key usage and set alerts for activities like key access, rotation, and expiration.
- Set Up Alerts for Expiration:
- In Azure Monitor, set up an alert to notify you if a key is close to its expiration date. This helps you plan manual rotations.
4. Automating Key Rotation Using Azure Functions
Azure Functions can automate the key rotation process by generating new versions of a key at specified intervals. This is especially useful for applications requiring regular rotation without manual intervention.
Step-by-Step Guide to Automate Key Rotation with Azure Functions
Step 1: Set Up the Azure Function App
- Create a Function App:
- In the Azure portal, go to Create a resource > Compute > Function App.
- Enter a name, select the runtime stack (e.g., Python or C#), and configure other settings.
- Click Create.
- Set Up the Function App’s Identity:
- In your Function App, go to Identity under Settings.
- Enable System-assigned managed identity. This identity will be used to access Key Vault securely.
- Grant the Function Access to Key Vault:
- Go to your Key Vault > Access policies > + Add Access Policy.
- Grant Key Management permissions (e.g.,
create,get,list) to the Function App’s managed identity. - Save the policy.
Step 2: Create the Key Rotation Function
- Create a Timer-Triggered Function:
- In your Function App, go to Functions > + Add.
- Select Timer trigger to trigger the function periodically (e.g., every month).
- Set the timer in CRON expression format, for example,
0 0 0 1 * *for monthly rotation.
- Add Code to Rotate the Key:
Here’s a Python example of an Azure Function that generates a new key version:
import logging
from azure.identity import DefaultAzureCredential
from azure.keyvault.keys import KeyClient
import datetime
# Connect to Key Vault
vault_url = "https://<your-key-vault-name>.vault.azure.net"
credential = DefaultAzureCredential()
key_client = KeyClient(vault_url=vault_url, credential=credential)
def main(mytimer: func.TimerRequest) -> None:
# Define the key to rotate
key_name = "MyEncryptionKey"
# Rotate by creating a new version
logging.info(f"Rotating key: {key_name}")
new_key = key_client.create_rsa_key(key_name, size=2048)
# Log the new key version and expiration date
logging.info(f"New key version created: {new_key.properties.version}")
expiration = new_key.properties.expires_on
logging.info(f"Key expiration date: {expiration}")Step 3: Deploy and Monitor the Function
- Test the Function:
- Manually run the function from the Azure portal to ensure it creates a new key version.
- Set Up Monitoring and Alerts:
- Use Azure Monitor to track function execution and set alerts for failed executions.
- Review logs to confirm that the function runs on schedule and successfully rotates the key.
5. Additional Best Practices for Key Management
- Enable Key Expiry Alerts: Set up alerts for key expiration so that you can rotate keys before they expire.
- Use Separate Keys for Different Environments: For example, have separate keys for development, testing, and production environments to prevent accidental exposure of sensitive data.
- Audit Key Usage: Regularly review access logs to monitor who accessed or attempted to access your keys. This is essential for compliance and security.
Summary of Key Rotation in Azure Key Vault
Azure Key Vault’s key rotation feature helps maintain security by periodically replacing cryptographic keys. You can either manually rotate keys or automate the rotation process with Azure Functions, depending on your requirements. This ensures that your application keys remain secure and compliant with industry standards.
Key Takeaways:
- Manual Key Rotation: Provides control over when to rotate a key but requires ongoing attention.
- Automated Key Rotation with Azure Functions: Enables scheduled rotation, reducing the risk of forgotten rotations and expired keys.
- Monitoring and Alerts: Essential for tracking key usage and expiration, helping to detect potential security issues.
With Azure Key Vault’s rotation features, you can keep your keys secure, avoid key compromise, and stay compliant with security standards.
