@Charlie Melga
Thank you for your post!
When it comes to the use of a Symmetric Key (Secret), and Asymmetric Key (Key), depending on the encryption method you decide to use, you can definitely leverage a Key to wrap a Secret.
For more info - Azure encryption models.
Azure disk encryption:
You can protect Windows and Linux virtual machines by using Azure disk encryption (ADE), which uses Windows BitLocker technology and Linux DM-Crypt to protect both operating system disks and data disks with full volume encryption.
- With Azure Disk Encryption, after you've created your own Key Vault, you can Bring your own Key (BYOK) or create a Key Encryption Key (KEK) which will be used to protect or wrap the secret.
- For more info - Encrypt a running VM using KEK
Azure Storage Service Encryption:
- Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it.
- With SSE, and keeping with your specific issue, you can enable 256-bit AES encryption at the Azure Storage infrastructure level (Double Encryption). When enabled, data in a storage account is encrypted twice — once at the service level and once at the infrastructure level — with two different encryption algorithms and two different keys. For more info - Enable infrastructure encryption for double encryption of data
- In order to manage the encryption key you'll have to leverage the Customer-managed keys for Azure Storage encryption feature.
Azure Key Vault:
When it comes to maintaining the rights to use one Key over the other (i.e. ASYM1/ASYM2) for specific users, you can Enable Azure RBAC permissions on your Key Vault. This new Azure RBAC permission model for key vault provides an alternative to the vault access policy permissions model. Azure RBAC for key vault provides the ability to have separate permissions on individual keys, secrets, and certificates
.
Individual keys, secrets, and certificates permissions should be used only for specific scenarios:
- Sharing individual secrets between multiple applications, e.g., one application needs to access data from the other application
- Cross-tenant encryption with customer key, e.g., ISV using a key from a customer key vault to encrypt its data
Additional Links:
Azure Data Encryption at rest
Data encryption models
Azure Key Vault Overview
Azure RBAC Permission Model - Known limits and performance
Key management with Key Vault
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.