{"id":13213,"date":"2019-10-04T15:33:48","date_gmt":"2019-10-04T19:33:48","guid":{"rendered":"http:\/\/www.iri.com\/blog\/?p=13213"},"modified":"2019-10-04T17:17:55","modified_gmt":"2019-10-04T21:17:55","slug":"fieldshield-azure-key-vault","status":"publish","type":"post","link":"https:\/\/beta.iri.com\/blog\/data-protection\/fieldshield-azure-key-vault\/","title":{"rendered":"Securing FieldShield Passphrases in Azure Key Vault"},"content":{"rendered":"

One of the primary uses of <\/span>IRI FieldShield<\/span><\/a> is to <\/span>encrypt and decrypt<\/span><\/a> sensitive data in database or flat-file columns. FieldShield relies on a passphrase to derive a symmetrical encryption key used at encryption and decryption time. The passphrase is stored in a job script file in one of three ways:<\/span><\/p>\n

    \n
  1. A text string directly in the the job script.<\/span><\/li>\n
  2. The path of a file containing the passphrase.<\/span><\/li>\n
  3. An environment variable whose value resolves to the passphrase at runtime.\u00a0<\/span><\/li>\n<\/ol>\n

    In this article, we improve upon the security of FieldShield passphrases for data sources either in the cloud or on premise by combining the third method with an <\/span>Azure<\/span><\/a> Key Vault. Future articles will show how to secure FieldShield passphrases or keys in other key management systems.<\/span><\/p>\n

    Benefits of the Approach<\/b><\/h4>\n

    Because FieldShield passphrases can be expressed as environment variables, they can be managed through a command-line hook to an Azure Key Vault. The vault is a cloud service in Microsoft’s Azure platform for securely storing \u201csecrets\u201d, which in this case are the passphrases that FieldShield uses to encrypt and decrypt values.<\/span><\/p>\n

    Azure offers many security features for protecting access to the key vault, including Active Directory for user authentication, and key rotation to periodically change key values. Built-in firewall management functionality restricts certain applications\/IP addresses from accessing the vault, too.\u00a0<\/span><\/p>\n

    It is also possible to log access to monitor how and when your key vaults are queried, and by whom. This helps discover abnormal events like unauthorized key extraction attempts, or access by privileged users at unusual times.\u00a0<\/span><\/p>\n

    Without the use of Azure Key Vault and batch files, the environment variable used in the FieldShield job would need to be a permanent environment variable. This permanent environment variable could be viewed by a user who may need to run the job but is not desired to have access to the passphrase.\u00a0<\/span><\/p>\n

    By using Azure key vault and an executable file that contains a batch script to run FieldShield, however, the environment variable is temporary and secure. It serves up the passphrase for only the FieldShield task defined in a particular<\/span> batch job.<\/span><\/p>\n

    Solution Architecture<\/b><\/h4>\n

    A FieldShield encryption or decryption target field function can be specified this way:<\/span><\/p>\n

    \/FIELD=(ENC_FP_PAN=enc_fp_aes256_CreditCardNo, \u201c$passvar), POSITION=6 …<\/span><\/i><\/p>\n

    where <\/span>$passvar<\/span><\/i> in this case is the environment variable that will resolve to the passphrase stored in Azure during batch execution of command-line FieldShield jobs.<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    Initially, the Azure Key vault will need to be set up, if one is not set up already. This example shows step-by-step how to set up a key vault with a secret \u2014 in this case a FieldShield passphrase \u2014 inside using the Azure Command Line Interface (CLI). The Azure CLI can be downloaded and run locally, which will be required for this example.\u00a0<\/span><\/p>\n

    A batch file has commands that run a FieldShield job to encrypt (or decrypt) fields using the passphrase stored in the Azure Key Vault. This batch file will be encased in an .exe file to prevent Azure login credentials from being read.\u00a0<\/span><\/p>\n

    Again, the environment variable tied to the passphrase exists only during the execution of the batch file, so all traces of the passphrase vanish after the batch file runs. And since a local environment variable is used, the passphrase cannot be accessed unless the batch file is edited, which is not possible as an executable set to read and run only.<\/span><\/p>\n

    Creating the Key Vault\u00a0<\/b><\/h4>\n

    Following along with this example requires the following:<\/span><\/p>\n