-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The ProtectKeysWithAzureKeyVault section of this page suggests a series of steps that result in a serious security issue. #22546
Comments
@markmcgookin please review |
Yeah, this is a super confusing topic. We do state here that ideally you should just upgrade to the new libraries as that will create things properly, but it might be made clearer that this doesn't require running the code twice with the line removed.
Maybe we should remove the workaround and just insist people use the new packages? Also... re: keyvault config, yeah we should probably mention that those specific permissions are needed. Even though this isn't necessarily about configuring keyvault itself, it would make sense to at least give users a heads up for what is required. |
Yes, let's do that. We want to encourage folks to use the latest bits.
Can you PR this? |
@markmcgookin can you take a look at this and #24096 |
PR #24184 should cover both of these, not sure if it's automatically picked up this one though. Might need to manually close if/when it's merged. |
The ProtectKeysWithAzureKeyVault section of this page suggests that the reader run the sample code twice. Once with the ProtectKeysWithAzureKeyVault call commented out to create the initial blob and then a second time with the protect call left in. The problem with that is that not only is the block file created for the keyring but an initial key is created that is valid for 3 months from the time you ran it. When you add the ProtectKeysWithAzureKeyVault it actually does NOTHING!. Your key is now free and clear in blob storage for anyone to read UNTIL that key expires and a new one is generated which is keyvault encrypted. The instructions should state that the block file should be edited to remove the key or the sample empty file is so small you should just include it in the instructions.
The other thing that is wrong is the permissions need for the web app in keyvault, You must have the get permissions as well as wrap and unwrap.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: