0

Microsoft says it "doesn't see or extract your keys". Maybe it's the ex-lawyer in me, but to me doesn't doesn't mean can't(*). I'm not interested in policies, contracts, audit trails, etc.

Can't means it's cryptographically impossible, i.e., a zero-knowledge scheme that would require someone with complete unfettered access to the Azure backend - the Platonic attacker, or more terrifying, someone enforcing a subpoena - to nonetheless have to crack a password or something else only in the possession of authorized key vault accessors.

Does anyone know if Microsoft - in theory, in principle - can see Key Vault contents?

(*) Yes, you may bring on the "it depends on what the meaning of the word is, is" jokes.

Reading about Managed HSM pools, they state:

Isolated access control: Managed HSM "local RBAC" access control model allows designated HSM cluster administrators to have complete control over the HSMs that even management group, subscription, or resource group administrators cannot override.

This sounds promising, but they don't state Microsoft cannot override...

Consider whether your customer/client wants to ensure their data is safe from a search warrant, subpoena, etc. Perhaps your client is a government. Being on the cloud doesn't in principle mean you have to trust the cloud provider with the keys (literally) to your kingdom, but the fact that they don't seem to warrant this kind of privacy and no one seems to know the answer leads me to suspect that that's exactly what you do when you use key vault.

Perhaps the only real solution is to store your data on AWS and use Azure to store the keys, or vice versa. At least then Bezos and Nadella would have to conspire together to read your data.

E_net4
  • 27,810
  • 13
  • 101
  • 139
Emperor Eto
  • 2,456
  • 2
  • 18
  • 32
  • If it's true that Microsoft uses *... FIPS 140-2 Level 2 and Level 3 validated HSMs ...* then not only can Microsoft not see or extract your keys, neither can you. Nobody can. So the next thing you should ask is: "ok, they can't see or extract them, but can they *use* them". Perhaps not unless they have your password, but that's pretty easy for them to get because you give it to them every time you login. – President James K. Polk Feb 21 '23 at 23:42
  • @PresidentJamesK.Polk well, ok, I guess we can assume they're not logging my password, or whatever private keys it unlocks in AAD, and whatever they unlock with my password lives only as long as the API call. So I guess it's the "perhaps not unless they have your password" part that I'm looking for confirmation on. Do they actually need my password to unlock the vault? – Emperor Eto Feb 21 '23 at 23:54
  • I don't see enough details to know exactly how they implement access control to the HSMs. From a trust perspective, you're already trusting Microsoft with almost everything. After all, they could be lying about those HSMs and how would you ever know? They might say the keys are generated on HSMs but they're actually generating them in Microsoft's World Domination Center where they keep spare human organs so Bill Gates can live forever. – President James K. Polk Feb 22 '23 at 00:00
  • Yeah same here, the answer to this doesn't seem to be clear from MS's docs. I mean, yes I see your point, but believe it or not this could actually matter in a subpoena situation. You may recall there was a DOJ subpoena to Apple over opening an iPhone and they were able to truthfully say they couldn't do it. Can Microsoft? – Emperor Eto Feb 22 '23 at 00:02
  • Apple was *not* able to truthfully say they couldn't do it, they simply refused. All it would have taken was to load different software on the iPhone, which Apple could do because they can sign software. They argued that doing so would "weaken" the security of iPhone for reasons I found unconvincing. The government elected to back down when an FBI contractor told them they could get the data (presumably due to a vulnerability) for them without Apple's help. Would have been an interesting case otherwise. – President James K. Polk Feb 22 '23 at 00:11
  • 1
    Microsoft is not Apple, so their calculus on these matters is going to be different. – President James K. Polk Feb 22 '23 at 00:12
  • Well, I guess we'll see if anyone knows the answer. Believe it or not customers want to know these things and I can't blame them. – Emperor Eto Feb 22 '23 at 00:21

0 Answers0