As an application developer, I have had a number of situations where HMAC signing has been a key part of application security, such as:
- Signing “local” session tokens (JWT, cookies, etc)
- Third-party integrations (API authentication)
- Integrity of data at rest
In many of these scenarios, ECC signing is either too heavy or not possible due to third-party dependencies. For scenarios where the same Key Vault can do the signing and verification, it would be ideal for us to be able to either generate or import a symmetric key in Key Vault for use with HMAC.
This would allow us to ensure the key is protected since it is unable to be exported. All signing and verification of HMAC signatures would then be performed through Key Vault itself, and audited through Azure Storage or Azure Monitor as per normal.