I recently had a situation where I started using Azure Shell. The way I look at Azure, and really any cloud service, security should be the first part of the process.
Now, not everyone would want to add your own key because all persistent Azure storage is already encrypted. However adding one’s own key may be a good idea or a requirement. Additionally, you can at least learn a bit more about Azure encryption and in particular one related service, Azure Key Vault. Which is part of my reasoning, I want to be very specific about the security in Azure as I use it more.
I’ll start with the first time you use Azure Shell. I’m wanting to play with some Azure Shell usage for Azure VMs, and the first time you do that you are prompted to create the Azure file share (note you can click advanced settings to select naming, region, etc.):
Once you create the file share, you can then go and configure to use your own encryption. This is a small but powerful option you can enable for this storage for your Azure Shell usage. This option is shown below:
Ideally an Azure Key Vault is created for this as well as other services. Setting up Azure Key Vault is much like any other service in Azure to start up, and it takes virtually no time. I have set up with a private key of my own that I use for cloud services, and configured in Azure Key Vault, shown below:
With this option, I’m ready to tell the Azure file share storage to use this encryption key that I have provided. I simply go back to the storage account associated with Azure Shell, and complete the option to use the Azure Key Vault, and the specified key. You see here I have one key selected that I can then select and apply to the file share.
Just like that I’m able to fully manage my encryption for, in this case, the Azure File Share needed for Azure Shell. I can keep this encryption completely different than other services as well.
I’m going to keep Azure Key Vault as a central part of my Azure practice, and I’ll write up some more content on how and where and why to use this extra layer. Do you use Azure Key Vault? If so, share your usage below.