Azure Key Vault with Java, Spring Boot and Jasypt
Introduction
We often hear about security issues and data leak from production environments. In most of cases, involvement identified of insiders only; and access to database, data repositories and other integrations are found, established using credentials (for authentication or authorization) stored into server configuration files like properties/yaml/config/cnf files.
These production servers are often accessed by support engineers and server maintenance engineers who can easily open configuration files and obtain the credentials for secured systems.
Secure credentials are always vulnerable and requires implied level of security mechanism while storing; also need to provide adequate level of access management while accessing stored credentials.
It is most common practice to implement secured access credential management by using Key Vault.
Key Vault is a server/service application which provide features:
- A secure repository for credential storage
- Secrets stored with highly proven encryption algorithm
- Authentication and authorization mechanism to read/write/access secrets
- Version control, credential expiry management
- APIs for integration with application server
Problem Statement
In conventional/monolithic server application has configuration stored into the server machine itself which also contains the secured information like database credential, external system credential (where integration happens like SFTP certificate/credentials etc).
This local storage of secured information in unencrypted form makes system more vulnerable (mostly stored in properties, yaml, config, cnf, xml files) because in most of cases server are accessed by support and server maintenance engineers where user can simple reach to server and access the secured information.
Although, this challenge persists for every kind of application but let us discuss with monolithic web based application and micro-service based application.
Consider the below diagram for monolithic web application:
Here with monolithic web application, configuration stored at two levels which may contain the secret information e.g.
- Application Server level — The information stored with application server are stored mostly into XML format.
- Web Application level — When application deployed in to server, it is deployed using some packages like ear, war, jar (in case of Java based application) and other package formats. With every deployable package, configuration also stored.
Now, consider that one gets access of server and access the physical file where configuration is stored that contains secured information. She/he can easily obtain the secure credential and enter into database or other system where user/customer/secure data has been stored.
Let’s discuss similar issue with micro-service based application, consider below diagram:
Here also, each micro-services contains their own configuration which may contain details of database server or any external system like SFTP, MQ channel etc.
In this design, if someone gets access of worker nodes, it is very easy to reach service container and obtain specific configuration files. It is also quite common to store configurations on attached volume which is also much vulnerable.
With both conceptual design diagram discussed here presents same problem statements: Configuration available with server/node with secured information like database credential or external system credential are vulnerable.
Solution
In problem statement section, discussed about the security vulnerability associated with application configuration which contains the secure information like credentials for any external systems, databases, private key and certificates.
As solution, it is proposed to introduce Vault Server which contains following features:
- A secure repository for credential storage
- Secrets stored with highly proven encryption algorithm
- Authentication and authorization mechanism to read/write/access security secrets
- Version control, credential expiry management
- APIs for integration with application server
With the Key Vault, the secure storage of secret can be implemented in many ways. Let’s discuss about few solutions:
Solution 1:
Let’s understand solution with below diagram:
Here with diagram, a Vault component introduced which securely stores the secrets, keys and certificates. When application starts or when secrets are needed it connects to the Vault and gets the required secret and use in program to connect database or connect to external systems based upon the need.
Let’s understand another scenario with micro-service based web application design:
With micro-service based design also, Vault introduced to store the secrets into Vault and when required the individual service connects to the Key Vault and obtain the required configuration.
In the above diagrams (Figure 3 and 4), the solution is provided using Key Vault which stores the secrets and when needed it is loaded into application and used.
For implementation, please refer below link for complete project which has been implemented using Azure Key Vault:
Solution 2:
In this approach, Key Vault is used along with Jasypt to create a secret salt/key which used as symmetric key for encryption of configuration values stored into Yaml/Xml/Properties/conf files and this salt/key is stored into Key Vault.
Let’s understand this solution with below diagram:
Jasypt is a proven solution for storing configurations in ‘Spring Boot based application configuration’ in encrypted form (there are other Jasypt implementation available for other form of applications/programming languages). It simply requires to add dependency and can be used with default auto-configuration or custom implementation.
With Jasypt, a key is used to encrypt the configuration values and placed into configuration file wrapped in ENC() method like:
Suppose we created a key ‘asdflljkhf84j@1s’. Use the database username after encryption with this key and place in yaml with ENC method as,
database.username: ENC(jklsadj;flj32r432ljlkjojjlds)
Now, store this Jasypt key into the vault. At time of boot application start up, the boot application first connects to Key Vault and obtain the key which will be passed into the Jasypt. Rest will be performed by Jasypt e.g. when configuration required Jasypt decrypt the configuration automatically and use wherever required.
This is much simpler implementation which help of Key Vault and Jasypt where configuration can be stored in both secure (double security with Vault and Jasypt)and unsecure manner (with other configuration parameters where security not required example, report template path) without having much code.
For implementation, please refer below link for complete project which has been implemented using Azure Key Vault and Jasypt:
https://github.com/siddhivinayak-sk/azure-key-vault
Implementation will be discussed in detail in subsequent section.
Secret Managers/Key Vault services are provided by most of the Cloud providers. Many Key Vault Servers are available which can be utilized like:
- Spring Vault Service
- Azure Key Vault
- Google Secret Manager
- Credential Manager
Let’s start implementation with help of Azure Key Vault:
Azure Key Vault is a vault service backed by Azure Cloud for securely storing and accessing secrets. It provides both software backed keys and Hardware Security Module (HSM) backed keys, secrets and certificates.
Azure Key Vault support below type of secured information to be stored:
- Secret: Normal secrets (string literals used as password/key)
- Certificate: Secured certificate to be used in project e.g. cert, der format
- Private Key: Private key used for encryption or key material in application, e.g. pfx, pem format
Basic terminologies used into Azure Key Vault:
Tenant: An organization who owns the Azure Services.
Vault owner: Owner can create and manage secrets in vault.
Vault consumer: Based upon owners granted permission, consumer can access secrets and manages secrets.
HSM Administrator: User who can control HSM pools and can create, access to other users.
HSM Crypto User: User with this built-in-role performs cryptographic operations using keys in Managed HSM.
HSM Crypto Service Encryption: User with this built-in-role usually assigned to a service accounts managed service identity for encryption of data at rest with customer managed key.
Resource: A manageable object in Azure Cloud like Virtual Network, Blob storage, Key Vault etc.
Resource group: A resource group is container for resources. It is makes resource management easy.
Security principal: Security principal is an identity that lets apps, services, and automation tools use to access specific Azure resources.
Azure AD: It is active directory service by Azure for the tenant.
Tenant ID: Tenant ID is unique identifier to identify Azure AD subscription.
Managed identities: Managed identity is used to provide authentication from code without having credential for the Vault by creating identity for application resources with Azure AD.
Azure Key Vault provides effective way for storing secrets, keys and certificates which is highly available. Also, it provides log monitor, metrics, insight and other monitoring tools which provides effective monitoring experience.
Azure provides SDKs and dependencies which helps to integrate applications resources with Azure Key Vault with different programming languages e.g., Java, .Net, Python, NodeJs etc.
Azure offers various pricing and structures based upon different use cases. It provides pay as you go model which is widely used.
Steps to create Azure Vault:
- Login into the Azure Portal
2. In ‘search resources’ input box, type ‘key vault’. A Key Vault icon displayed, click on Key Vault icon. Now, a Key Vault page opened.
3. Click on Add button. A form for creating Key Vault will be displaced with multiple tabs as:
On Basic tab, provide information like: subscription, resource group — any name in which resource create, key vault name — a unique vault name, region — where vault will be created, pricing tier, keep soft delete enabled, retention days 90 day — by default, enable/disable purge protection as your need.
4. Now, click on next to open Access policy tab, this table is very important as access policy is managing here (although it can be managed later by owner):
By default, creator will be owner and have all permissions. Other users can be configured and other access policy can be created. Azure RBAC (Role Based Access Control) can also be configured to access.
5. Now click on Next button to open Network tab:
Here, public can be chosen for testing purpose but private is recommended.
6. Click on Next and open tags tab:
Provide the tags for this resource.
7. Now click on Review and Create. It will create Key Vault.
Key Vault created. Now create secret which will be accessed by Spring Boot based application by following below steps:
- Open Key Vault by searing Key Vault into ‘Search resources’ input box. It will list all available Key Vault. Click on Vault Created and open it.
2. Select ‘Secrets’ menu which is under settings section, left side. Click on Generate/import button to add a new secret:
To create own secret, select upload option manual. Provide a name for secret entry and its value. Content type, activation, expiration date can also be provided but these three fields are optional so can be ignored as well. Keep enabled yes.
3. Now, click on Create button. This steps will create a secret. For testing purpose database password can be stored as secret.
Now, secret created into Vault and need to access vault’s secret from application.
Azure Key Vault — Access from application: Java Code
Once, Azure Key Vault created and secrets stored, need to write code in application to obtain the secret from Key Vault and use wherever it is required.
When Azure Key Vault created below information will be available with us (this information can be collected from Vault Overview section and access policy section). Below are properties required to establish connection from application to Key Vault:
A. Define login URL for Azure — Note: This is fixed for Azure Vault
azure-keyvault.azure-login-uri=https://login.microsoftonline.com/
B. Define scope for getting authentication token — Note: This value is fixed for Azure Vault
azure-keyvault.scope=https://vault.azure.net
C. Define Azure KeyVault URL — Obtain from Azure KeyVault page
azure-keyvault.resource-uri=
D. Define TenantID/DirectoryID from Azure KeyVault for obtaining Authentication token — Obtain it from Azure KeyVault page
azure-keyvault.tenant-id=
E. Define client ID which obtain secret from Azure KeyVault — Obtain from Access policy section from KeyVault page
azure-keyvault.client-id=
F. Define key for specified client Id in E. — Obtain from client defining page for the Azure KeyVault
azure-keyvault.client-key=
Take code checkout from below link: https://github.com/siddhivinayak-sk/azure-key-vault
This code contains the complete Key Vault Client implementation with Spring Cloud Flow Task based app with/without Jasypt implementation. It easily demonstrates the secret obtaining and using into Spring boot based application.
A utility has been created ‘AzureVaultUtils.java’ as client for Azure Key Vault to obtain the secrets, keys and certificates from Azure Key Vault.
To compile, package and run need to setup as pre-requisite:
- JDK 8 or later
- Apache Maven Build Tool
Open the application.properties file from (source code) the src/resources and provide the Azure Key Vault details into discussed properties.
To compile, package execute below maven command:
mvn clean compile package
Once, code compiled and packaged start the jar file by using below command for testing:
Java –jar azure-key-vault.-v0.0.1.jar
Conclusion
With every application development, there are some configurations which are stored with application deployment; and used by application for obtaining the configuration based upon the need for example database credential or external system credential which contains the secure information like username, password, private key, certificate etc.
If the configuration placed directly without having proper security and access mechanism, it becomes much vulnerable as anyone who has access to server also get the access of systems for which configuration placed in configuration files like database, sftp etc. This vulnerability is prone to data leak and theft. In case of customer data leak, the consequence will be much bigger.
To overcome from the issue, it is recommended to use Key Vault and store secure secrets into Key Vault with proper access management and it is also recommended to keep Vault access private with network restriction. Additionally, Vault should allow to obtain the information only when required with Network, Authentication, Authorization restrictions.
To double protect, local encryption (using Jasypt as standard approach; other solution can also be created) and Key Vault; both can be utilized to store the configuration in manner that even if some illicit access happen of server, data or external systems will be protected.
Vault can be used with different type of applications. Java and Spring based boot application can use it very easily with the implementation and solution discussed.
References
- Microsoft Azure Key Vault — https://docs.microsoft.com/en-in/azure/key-vault
- Java Spring Boot App with Azure Key Vault — https://github.com/siddhivinayak-sk/azure-key-vault
About the Author
Sandeep Kumar holds Master of Computer Application degree working as Java developer having 10+ years of working experience. He has experience designing and development of enterprises applications into various domains like education, content, laboratory, and banking; got various appreciation for providing solutions including spot appreciation for Glassfish to JBoss migration project. He secured Google Cloud Developer certificate and participated into OCI trainings. He is a part of HCL-ERS platform as Sr. Lead developer.
