Delve into the specifics of Azure DevOps Secure Files

Delve into the specifics of Azure DevOps Secure Files

In Azure DevOps, Secure Files is a feature that allows you to securely manage sensitive files, such as certificates, service principal keys, or private keys, that need to be used during a pipeline execution. Unlike environment variables or Azure Key Vault, which are designed to handle secrets like passwords or API keys, Secure Files are designed specifically to handle files (like PFX certificates, SSH keys, or other sensitive documents) that must be securely passed between stages of a pipeline or used during deployment.

Secure Files are particularly useful when you need to securely share files that are necessary for deployment or testing but need to prevent those files from being exposed in your source code or pipeline logs.

Key Features of Secure Files in Azure DevOps

1. Secure Storage: Files uploaded as Secure Files are encrypted and stored in Azure DevOps. They are only accessible by users or pipelines that have appropriate permissions.

2. Integration with Pipelines: Secure files can be referenced and downloaded securely within your pipelines. This ensures that sensitive files (e.g., certificates for signing, SSH keys, or private keys) are used securely during pipeline execution.

3. Granular Permissions: You can control access to Secure Files, granting or denying access to specific users, groups, or pipelines. This provides a fine-grained level of control over who can access these files.

4. Automatic Removal: Secure files can be automatically removed after the pipeline execution, ensuring that sensitive files are not lingering in the pipeline's environment after the job completes.

5. Audit Logs: Azure DevOps provides audit logs for Secure Files, allowing you to track who accessed or modified them, providing traceability and enhancing security.

Use Cases for Secure Files

1. SSL/TLS Certificates: If you need SSL certificates (PFX files) for your application, you can securely store them in Azure DevOps Secure Files and use them in the pipeline during deployment.

2. SSH Keys: For deployments to remote servers or services, SSH keys can be stored as Secure Files, ensuring they are used securely during pipeline execution.

3. Service Principal Secrets or API Keys: Some pipelines may require sensitive API keys or service principal secrets, which can be stored as Secure Files for safer management.

4. Windows Signing Certificates: When signing Windows executables or applications during build or release, private signing certificates can be securely stored as Secure Files.

Managing Secure Files in Azure DevOps

1. Upload Secure Files

To upload secure files to Azure DevOps, follow these steps:

1. Navigate to the Project Settings:

   • Go to the Azure DevOps portal and open your project.

   • Click on Project settings (the gear icon in the bottom-left corner).

2. Access Secure Files: Under the Pipelines section in Project settings, click on Secure files.

3. Upload Files:

   • Click the + Secure file button to upload your file(s).

   • Select the file(s) you want to upload (for example, a .pfx certificate or .pem SSH key) and click Upload.

2. Reference Secure Files in a Pipeline

Once your secure file is uploaded, you can reference it in your pipeline scripts. Secure files can be downloaded and used during build or release pipelines by using the DownloadSecureFile task.

Example of using the DownloadSecureFile task:

xxxxxxxxxx
16
1
trigger:
2
- main
3
pool:
4
  vmImage: 'ubuntu-latest'
5
jobs:
6
- job: UseSecureFile
7
  steps:
8
  - task: DownloadSecureFile@1
9
    name: downloadCertificate
10
    inputs:
11
      secureFile: 'mycertificate.pfx'
12
  - script: |
13
      # Example of using the downloaded file
14
      echo "Certificate downloaded successfully"
15
      # Use the certificate in your pipeline, e.g., signing or deployment
16
    displayName: 'Use the downloaded certificate'

In this example:

1. The DownloadSecureFile task is used to download a secure file (mycertificate.pfx) that was previously uploaded to Azure DevOps.

2. The downloaded file is placed in a default location, which can then be referenced or used in the pipeline tasks.

3. Delete Secure Files

You can delete secure files after the pipeline completes to further secure your environment. However, if you don't manually delete them, they remain available in Azure DevOps until you decide to remove them.

To delete a secure file, go to Project Settings → Pipelines → Secure Files, select the file, and click Delete.

4. Permissions for Secure Files

You can control who has access to the Secure Files by managing permissions:

1. Go to Project Settings → Pipelines → Secure Files.

2. Select the specific file you want to manage.

3. Click on More options (three dots) next to the file and select Manage permissions.

4. Set permissions for the file, such as allowing certain users or groups to access it.

By default, only users with Project Administrator permissions or those with specific pipeline permissions can access Secure Files.

5. Audit Secure File Access

Azure DevOps provides audit logs that track when Secure Files are accessed or modified. This can be helpful for compliance and security purposes.

To view audit logs:

1. Go to Project Settings → Security → Audit Logs.

2. Filter by Secure Files to view any access or changes related to secure file usage.

Best Practices for Using Secure Files in Azure DevOps

1. Limit Access: Only give access to Secure Files to users and pipelines that absolutely need them. Avoid broad access to minimize the risk of exposure.

2. Use in Build and Release Pipelines: Secure files can be particularly useful when you need them in both build (e.g., signing certificates) and release (e.g., deployment credentials) pipelines.

3. Use Encryption: Ensure that any sensitive files (like certificates or private keys) are encrypted when stored in Azure DevOps, and only decrypt them during the pipeline execution in a secure manner.

4. Monitor with Audit Logs: Keep track of who accesses Secure Files and when, using Azure DevOps audit logs for compliance and security.

5. Delete After Use: If possible, delete Secure Files after they are no longer needed to prevent unauthorized access in the future.

6. Avoid Storing in Source Control: Never store sensitive files (such as private keys, certificates, or passwords) in your source code repositories. Use Secure Files instead.

Summary

Azure DevOps Secure Files provide a secure, centralized way to manage sensitive files used during CI/CD pipeline execution. By leveraging this feature, teams can ensure that files such as certificates, keys, and secrets are securely managed, reducing the risk of exposure and improving the security posture of the DevOps pipeline.