Azure KeyVault integration for key management

[leastprivilege]

No description provided.

[amadard]

I love the new key management functionality, and I am right now working through how to connect that to a KeyVault using the ISigningKeyStore. I haven't been able to find an elegant way to use the KeyVaults certificate functionality, so I am building my solution to just store the SerializedKey as a secret in the KeyVault.

[brockallen]

I haven't been able to find an elegant way to use the KeyVaults certificate functionality, so I am building my solution to just store the SerializedKey as a secret in the KeyVault.

Yep, that's how you'd do that integration. The key management is not designed to outsource the key generation itself.

[amadard]

I haven't been able to find an elegant way to use the KeyVaults certificate functionality, so I am building my solution to just store the SerializedKey as a secret in the KeyVault.

Yep, that's how you'd do that integration. The key management is not designed to outsource the key generation itself.

Good to know, thanks!

Are you considering a future upgrade to allow outsourcing? It would be an enhancement that my security department would appreciate, so they have more control.

[brockallen]

Are you considering a future upgrade to allow outsourcing?

In that case, I think you'd disable our key management and instead replace the ITokenService. We have had customers do this when they wanted their signing done inside the firewall when their IdentityServer was in the DMZ (if I recall correctly).