Azure Key Vault Encryption

Protect Secrets Manager connection details with Azure Key Vault Keys

Keeper Secrets Manager integrates with Azure Key Vault in order to provide encryption for Keeper Secrets Manager configuration files. With this integration, you can protect connection details on your machine while taking advantage of Keeper's zero-knowledge encryption of all your secret credentials.

Features

Encrypt and Decrypt your Keeper Secrets Manager configuration files with Azure Key Vault.
Protect against unauthorized access to your Secrets Manager connections.
Requires only minor changes to code for immediate protection. Works with all Keeper Secrets Manager SDK functionality.
Supports RSA Asymmetric keys from Azure.

Prerequisites

Supports the Java/Kotlin Secrets Manager SDK.
Requires Azure packages: azure-identity and azure-keyvault-keys.
Works with just RSA key types with WrapKey and UnWrapKey permissions.

Setup

1. Install Module

Setting up project using Gradle or Maven

Gradle

repositories {
  mavenCentral()
}

dependencies {
  implementation("com.keepersecurity.secrets-manager:azurekv:1.0.0")
  implementation("com.keepersecurity.secrets-manager:core:17.1.1")
  implementation("com.azure:azure-identity:1.18.1")
  implementation("com.azure:azure-security-keyvault-keys:4.10.4")
  implementation("com.fasterxml.jackson.core:jackson-databind:2.18.2")
  implementation("com.fasterxml.jackson.core:jackson-core:2.18.2")
  implementation("com.google.code.gson:gson:2.12.1")
  implementation("org.slf4j:slf4j-api:1.7.32"){
        exclude("org.slf4j:slf4j-log4j12")
    }
  implementation("ch.qos.logback:logback-classic:1.2.6")
  implementation("ch.qos.logback:logback-core:1.2.6")
  implementation("org.bouncycastle:bc-fips:2.1.1")
}

Maven

<!-- KMS-core -->
 <dependency>
     <groupId>com.keepersecurity.secrets-manager</groupId>
     <artifactId>azurekv</artifactId>
     <version>1.0.0</version>
</dependency>
<dependency>
     <groupId>com.keepersecurity.secrets-manager</groupId>
     <artifactId>core</artifactId>
     <version>17.1.1</version>
 </dependency>

 <!-- Azure-identity -->
   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
       <version>1.18.1</version>
        <scope>compile</scope>
   </dependency>
  <!-- Azure-keyvault -->
   <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-security-keyvault-keys</artifactId>
       <version>4.10.4</version>
   </dependency>
      	
   <!--gson -->
   <dependency>
   	<groupId>com.google.code.gson</groupId>
   	<artifactId>gson</artifactId>
   	<version>2.12.1</version>
   </dependency>

   <!--jackson-core -->
   <dependency>
   	<groupId>com.fasterxml.jackson.core</groupId>
   	<artifactId>jackson-core</artifactId>
   	<version>2.18.2</version>
   </dependency>
   	
   <!--jackson-databind -->
   <dependency>
   	<groupId>com.fasterxml.jackson.core</groupId>
   	<artifactId>jackson-databind</artifactId>
   	<version>2.18.2</version>
   </dependency>
   <!-- slf4j-api -->
	<dependency>
	   <groupId>org.slf4j</groupId>
	   <artifactId>slf4j-api</artifactId>
	   <version>1.7.32</version>
	   <scope>runtime</scope>
	</dependency>	
  <!-- logback-classic -->
   <dependency>
	<groupId>ch.qos.logback</groupId>
	<artifactId>logback-classic</artifactId>
	<version>1.2.6</version>
	<scope>compile</scope>
  </dependency>
<!-- logback-core -->
   <dependency>
      <groupId>ch.qos.logback</groupId>
      <artifactId>logback-core</artifactId>
      <version>1.2.6</version>
      <scope>compile</scope>
   </dependency>  	
   <!-- bc-fips -->
   <dependency>
   	<groupId>org.bouncycastle</groupId>
   	<artifactId>bc-fips</artifactId>
   	<version>2.1.1</version>
   </dependency>

The Secrets Manager Storage module can be installed using pip:

pip3 install keeper-secrets-manager-storage

The Azure backend requires three additional packages:

pip3 install azure-identity azure-keyvault-keys pycryptodomex

The Secrets Manager KSM modules are located in the Keeper Secrets Manager storage module which can be installed using dotnet

dotnet add package Keeper.SecretsManager.AzureKeyVault

2. Configure Azure Key Vault Connection

Ensure that you have an Azure Key Vault instance available. The following parameters are needed to connect to Azure Key Vault: AZURE_TENANT_ID: The Microsoft Entra tenant (directory) ID.

AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.

AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.

You will need an Azure App directory App to use the Azure Key Vault integration.

For more information on Azure App Directory App registration and Permissions see the Azure documentation:

https://learn.microsoft.com/en-us/azure/key-vault/general/authentication

3. Add Azure Key Vault Storage to Your Code

Once the Azure connection has been configured, you can use Azure Key Vault to encrypt and decrypt KSM configurations. Tell the Secrets Manager SDK to utilize Key Vault as storage.

Using Azure Key Vault Integration

Once setup, the Secrets Manager Azure Key Vault integration supports all Secrets Manager SDK functionality. Your code will need to be able to access the Azure Keys in order to manage the encryption and decryption of the KSM configuration file. Using Specified Connection credentials

To do this, create AzureKeyValueStorage instance and use this in SecretManagerOptions constructor.

The AzureKeyValueStorage will require the name of the Secrets Manager configuration file with azure_key_id , azure_keyvault_URL and configuration.

import java.security.Security;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import static com.keepersecurity.secretsManager.core.SecretsManager.initializeStorage;
import com.keepersecurity.secretmanager.azurekv.AzureKeyValueStorage;
import com.keepersecurity.secretmanager.azurekv.AzureSessionConfig;
import com.keepersecurity.secretsManager.core.SecretsManagerOptions;


class Test {
	public static void main(String args[]){
		String oneTimeToken = "[One_Time_Token]";
		String keyId = "https://<vault-name>.vault.azure.net/keys/<keyname>/<keyversion>";
		String configFileLocation="<KSM-client-config.json>";
		String azTenantId = "<azure-tenant-id>";
		String azClientId = "<azure-client-id>";
		String azClientSecret = "<azure-client-secret>";
		String keyVaultUrl = "https://<vault-name>.vault.azure.net/";
		Security.addProvider(new BouncyCastleFipsProvider());
		try{
			//set azure KV configuration, 
			AzureSessionConfig azConfig= new AzureSessionConfig(azTenantId, azClientId, azClientSecret, keyVaultUrl);
			//Get Storage 
			AzureKeyValueStorage azkvstorage =  AzureKeyValueStorage.getInternalStorage(keyId, configFileLocation, azConfig);
			initializeStorage(azkvstorage, oneTimeToken);
			SecretsManagerOptions options = new SecretsManagerOptions(azkvstorage);
			//getSecrets(options)
		}catch (Exception e) {
			System.out.println(e.getMessage());
		}
	}
}

To do this, use AzureKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.

The storage will require an Azure Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by Azure Key Vault.

import { getSecrets, initializeStorage } from '@keeper-security/secrets-manager-core';
import { AzureKeyValueStorage, AzureSessionConfig, LoggerLogLevelOptions } from '@keeper-security/secrets-manager-azure';

const getKeeperRecords = async () => {
    const tenantId = '<tenant_id>';
    const clientId = '<client_id>';
    const clientSecret = '<client_secret>';
    const azureSessionConfig = new AzureSessionConfig(tenantId, clientId, clientSecret);

    const configPath = '<path to ksm-client-config.json>';
    const logLevel = LoggerLogLevelOptions.info;

    // oneTimeToken is used only once to initialize the storage
    // after the first run, subsequent calls will use the config file
    const oneTimeToken = '<One Time Token>';

    const keyId = 'https://<vault_name>.vault.azure.net/keys/<key_name>/<version>';
    const storage = await new AzureKeyValueStorage(keyId, configPath, azureSessionConfig, logLevel).init();
    await initializeStorage(storage, oneTimeToken);

    const { records } = await getSecrets({ storage });
    console.log(records);
};
getKeeperRecords();

To do this, use AzureKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor as config along with a token.

The storage will require a Azure Key ID, as well as the location of the Secrets Manager configuration file which will be encrypted by Azure-KSM Integration and Azure session configuration as shown below.

Upgrading from v1.0.x? v1.1.0 includes these behavioral changes:

AES-GCM nonce corrected from 16 to 12 bytes per NIST SP 800-38D. Existing encrypted configs remain readable.
decrypt_config() now defaults to autosave=False — call decrypt_config(autosave=True) to preserve the previous behavior.
Encrypt and decrypt failures now raise exceptions instead of silently corrupting storage state.
Corrupt or non-UTF8 config files now raise "is not a valid encrypted config file" instead of leaking JSONDecodeError.
Config writes are now atomic (write-then-rename), so a failed write no longer truncates the existing config to zero bytes.
delete_all() now removes the encrypted config file from disk instead of writing an empty encrypted blob.
AzureKeyValueStorage is now thread-safe for concurrent reads and writes.

from keeper_secrets_manager_storage.storage_azure_keyvault import AzureSessionConfig, AzureKeyValueStorage
from keeper_secrets_manager_core import SecretsManager

tenant_id = "<Tenant_ID>"
client_id = "<CLIENT_ID>"
client_secret = "<CLIENT_SECRET>"

azure_session_config = AzureSessionConfig(tenant_id, client_id, client_secret)
config_path = "<path_to_client_config_python.json>"

token = "<One Time Token>"
key_id = "<key_id>"

azure_key_value_storage = AzureKeyValueStorage(
    key_id=key_id,
    config_file_location=config_path,
    az_session_config=azure_session_config)

secrets_manager = SecretsManager(token=token, config=azure_key_value_storage)

records = secrets_manager.get_secrets()

for record in records:
    print(record)

To do this, use AzureKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.

The storage will require an Azure Key ID, as well as the name of the Secrets Manager configuration file which will be encrypted by Azure Key Vault. Optionally AzureSessionConfig can be provided. If credentials are not provided the default credentials are used.

using System;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.Extensions.Logging;
using SecretsManager;

public class Program
{
   private static async Task getOneIndividualSecret()
    {
        var tenant_id = "<TENANT_ID>";
        var client_secret = "<CLIENT_SECRET>";
        var client_id = "<CLIENT_ID>";
        var keyId = "<KEY_ID>";
        var path = "ksmConfigDotnet.json";
        var dotnet_access_token = "<ACCESS_TOKEN>";
        var loggerFactory = LoggerFactory.Create(builder =>
        {
            builder.SetMinimumLevel(LogLevel.Debug);
            builder.AddConsole();
        });
        var logger = loggerFactory.CreateLogger<AzureKeyValueStorage>();
        var azure_session_config = new AzureSessionConfig(tenant_id, client_id, client_secret);
        AzureKeyValueStorage azure_storage = new AzureKeyValueStorage(keyId, path, azure_session_config, logger);
        SecretsManagerClient.InitializeStorage(azure_storage, dotnet_access_token);
        
        var options = new SecretsManagerOptions(azure_storage);
                    var records_list = await SecretsManagerClient.GetSecrets(options);
        records_list.Records.ToList().ForEach(record => Console.WriteLine(record.RecordUid + " - " + record.Data.title));
    }
	static async Task Main()
	{
		await getOneIndividualSecret();
	}
}

Additional Options

Change Key

We can change key that is used for encrypting the KSM configuration, examples below show the code needed to use it

//The method changeKey(newKeyID) will be used to encrypt the KSM config file with new azure key. 
....
 String newKeyID = "https://<vault-name>.vault.azure.net/keys/<keyname>/<keyversion>";
 AzureKeyValueStorage azkvstorage =  AzureKeyValueStorage.getInternalStorage(keyId, configFileLocation, azConfig);
 boolean isChanged = azkvstorage.changeKey(newKeyID);	 // Change the key for encryption/decryption
....

// To change the Azure Key Vault key used for encryption, you can call the `changeKey` method on the `AzureKeyValueStorage` instance.
.....
 const keyId = 'https://<vault_name>.vault.azure.net/keys/<key_name>/<version>'
 const keyId2 = "https://<vault_name>.vault.azure.net/keys/<key_name>/<version>"
 const storage = await new AzureKeyValueStorage(keyId, config_path, azureSessionConfig, logLevel).init();
 await storage.changeKey(keyId2);

.....

azure_key_value_storage = AzureKeyValueStorage(
    key_id=key_id,
    config_file_location=config_path,
    az_session_config=azure_session_config)

new_key_id = "<new key id>"
is_changed = azure_key_value_storage.change_key(new_key_id)
print(f"Key is changed: {is_changed}")

// To change the Azure key used for encryption, you can call the `ChangeKeyAsync` method on the `AzureKeyValueStorage` instance.
 using Microsoft.Extensions.Logging;
 ....
     var keyId2 = "<KEY_ID_2>";
     var loggerFactory = LoggerFactory.Create(builder =>
            {
                builder.SetMinimumLevel(LogLevel.Debug);
                builder.AddConsole();
            });
    var logger = loggerFactory.CreateLogger<AzureKeyValueStorage>();
    AzureKeyValueStorage azure_storage = new AzureKeyValueStorage(keyId, path, azure_session_config, logger);
    azure_storage.ChangeKeyAsync(keyId2).Wait();
 ....

Decrypt Config

We can decrypt the config if current implementation is to be migrated onto a different cloud or if you want your raw credentials back. The function accepts a boolean which when set to true will save the decrypted configuration to file and if it is false, will just return decrypted configuration.

....
 AzureKeyValueStorage azkvstorage =  AzureKeyValueStorage.getInternalStorage(keyId, configFileLocation, azConfig);
 azkvstorage.decryptConfig(false); // Set false as a parameter to extract only plaintext.
 //OR 
 azkvstorage.decryptConfig(true); // Set true as a parameter to extract plaintext and save config as a plaintext.
....

// To decrypt the config file, call the `decryptConfig` method on the `AzureKeyValueStorage` instance.
// ....
const storage = await new AzureKeyValueStorage(keyId, configPath, azureSessionConfig, logLevel).init();
const decryptedConfig = await storage.decryptConfig(true);  // Saves plaintext to file and returns it
// OR
const decryptedConfig = await storage.decryptConfig(false); // Returns plaintext without saving to file
// ....

v1.1.0: decrypt_config() now defaults to autosave=False. Previously the default was True, which would overwrite the encrypted config file with plaintext. Pass autosave=True explicitly to save to disk.

storage = AzureKeyValueStorage(
    key_id=key_id,
    config_file_location=config_path,
    az_session_config=azure_session_config)

# Returns plaintext only (file stays encrypted)
plaintext = storage.decrypt_config(autosave=False)
print(plaintext)

# OR: returns plaintext and saves config as plaintext
plaintext = storage.decrypt_config(autosave=True)
print(plaintext)

//To decrypt the config file and save it again in plaintext, you can call the `DecryptConfigAsync` method on the `AzureKeyValueStorage` instance.
.... 
var keyId2 = "<KEY_ID_2>";
 AzureKeyValueStorage azure_storage = new AzureKeyValueStorage(keyId, path, azure_session_config, logger);
await azure_storage.DecryptConfigAsync(true); // return decrypted and Saves to file
//OR
await azure_storage.DecryptConfigAsync(false); // returns the decrypted config 
....

You're ready to use the KSM Storage integration 👍

Check out the KSM SDKs documentation for more examples and functionality

PreviousAzure Key Vault Sync NextBitbucket Plugin

Last updated 20 days ago