|
39 | 39 |
|
40 | 40 | ### Use secure key stores |
41 | 41 |
|
42 | | -Leveraging secure key stores ensures that your secrets are stored in a secure, encrypted location. Services like [Azure Key Vault](/azure/key-vault) provide robust security features, including access control, logging, and automatic rotation. This approach centralizes the management of your secrets and reduces the risk of unauthorized access. |
| 42 | +Leveraging secure key stores ensures that your secrets are stored in a secure, encrypted location. Services like [Azure Key Vault](/azure/key-vault) and [Azure Managed HSM](/azure/key-vault/managed-hsm) provide robust security features, including access control, logging, and automatic rotation. This approach centralizes the management of your secrets and reduces the risk of unauthorized access. |
43 | 43 |
|
44 | 44 | For even greater security, particularly for highly sensitive or critical secrets, consider encrypting the secret with a key stores in a Hardward Security Model (HSM), which offer enhanced protection compared to software-based secret stores. For an overview of all the key management offering in Azure and guidance on which to choose, see [How to choose the right key management solution](key-management-choose.md). |
45 | 45 |
|
46 | 46 | See: |
47 | 47 |
|
48 | 48 | - [Key management in Azure](key-management.md) |
49 | 49 | - [How to choose the right key management solution](key-management-choose.md) |
50 | | -- [Azure Key Vault](/azure/key-vault/general/overview) |
51 | | -- [Azure Managed HSM](/azure/key-vault/managed-hsm/overview) |
52 | 50 |
|
53 | 51 | ### Implement secret scanning tools |
54 | 52 |
|
@@ -104,10 +102,13 @@ See: |
104 | 102 |
|
105 | 103 | ### Encrypt secrets at rest and in transit |
106 | 104 |
|
107 | | -Ensure that your secrets are encrypted both at rest and in transit. Azure Key Vault automatically encrypts secrets at rest using industry-standard encryption algorithms. Additionally, use secure communication protocols like HTTPS to encrypt data in transit between your applications and the key vault. This approach ensures that your secrets remain protected from unauthorized access during storage and transmission. |
| 105 | +Ensure that your secrets are encrypted both at rest and in transit. Azure Key Vault securely stores secrets using envelope encryption, where Data Encryption Keys (DEKs) are encrypted by Key Encryption Keys (KEKs), providing an additional layer of security. This approach enhances protection against unauthorized access. Additionally, use secure communication protocols like HTTPS to encrypt data in transit between your applications and the key vault, ensuring that your secrets are safeguarded during both storage and transmission. |
| 106 | + |
| 107 | +In Azure, encryption at rest is implemented across various services using AES 256 encryption, while data in transit is secured through TLS and MACsec to prevent unauthorized access during transmission. These encryption practices provide comprehensive protection for your data, whether it’s being stored or transmitted between systems. For more details, see [Encryption at rest and in transit](encryption-atrest.md). |
108 | 108 |
|
109 | 109 | See: |
110 | 110 |
|
| 111 | +- [Azure Key Vault](/azure/key-vault/general/overview) |
111 | 112 | - [Encryption at rest and in transit](encryption-atrest.md) |
112 | 113 |
|
113 | 114 | ### Safe Distribution of Secrets |
|
0 commit comments