You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/secrets-best-practices.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,7 +39,7 @@ See [Recommendations for protecting application secrets](/azure/well-architected
39
39
40
40
Leveraging secure key stores ensures that your secrets are stored in a secure, encrypted location. Services like [Azure Key Vault](/azure/key-vault) and [Azure Managed HSM](/azure/key-vault/managed-hsm) provide robust security features, including access control, logging, and automatic rotation. This approach centralizes the management of your secrets and reduces the risk of unauthorized access.
41
41
42
-
For even greater security, particularly for highly sensitive or critical secrets, consider encrypting the secret with a key stores in a Hardward Security Model (HSM), which offer enhanced protection compared to software-based secret stores. For an overview of all the key management offering in Azure and guidance on which to choose, see [Key management in Azure](key-management.md) and [How to choose the right key management solution](key-management-choose.md).
42
+
For even greater security, particularly for highly sensitive or critical secrets, consider encrypting the secret with a key stores in a Hardware Security Model (HSM), which offer enhanced protection compared to software-based secret stores. For an overview of all the key management offering in Azure and guidance on which to choose, see [Key management in Azure](key-management.md) and [How to choose the right key management solution](key-management-choose.md).
43
43
44
44
### Implement secret scanning tools
45
45
@@ -75,13 +75,13 @@ Ensure that your secrets are encrypted both at rest and in transit. [Azure Key V
75
75
76
76
In Azure, encryption at rest is implemented across various services using AES 256 encryption, while data in transit is secured through TLS and MACsec to prevent unauthorized access during transmission. These encryption practices provide comprehensive protection for your data, whether it’s being stored or transmitted between systems. For more details, see [Encryption at rest and in transit](encryption-atrest.md).
77
77
78
-
### Safe Distribution of Secrets
78
+
### Safe distribution of secrets
79
79
80
80
When distributing secrets, ensure they are shared securely within and outside the organization. Use tools designed for secure sharing and include secret recovery procedures in your disaster recovery plans. If a key is compromised or leaked, it should be regenerated immediately. To further enhance security, use distinct keys for each consumer rather than sharing keys, even if they have similar access patterns. This practice simplifies key management and revocation, ensuring that compromised keys can be revoked without affecting other consumers.
81
81
82
82
## Service-specific best practices
83
83
84
-
Individual serives may have additional best practices and guidance for protecting secrets. Here are some examples:
84
+
Individual services may have additional best practices and guidance for protecting secrets. Here are some examples:
85
85
86
86
- API Management: [Use named values in Azure API Management policies with Key Vault Integration](/azure/api-management/api-management-howto-properties)
87
87
- App Service: [Use Key Vault references for App Service and Azure Functions](/azure/app-service/app-service-key-vault-references)
0 commit comments