azure - Store secrets in DeviceTwin

Question

A bit of a conceptual question, We are looking at implementing devicetwins in our IoT hub solution, it's clear for us that we can store tags, metadata in the devicetwin configuration but then we started discussing storing secrets in the devicetwin configuration.

I am a bit hessitant to start storing credentials / secrets in it - is this a wrong assumption and am I worrying to much?

Answer 1

A couple of thoughts on this

• The device twin (or generally the device registry) is not especially encrypted like an Azure Key Vault and you also cannot encrypt it using BYOK as you might be able to in other services. We can assume that under the hood it is stored at rest in some encrypted fashion using Microsoft-managed keys, but if that's not good enough for your use case / security requirement, then you are out.
• Access to the device twin has obviously the device itself (where I guess you want to read the secret), but also everybody who has read access on the device registry in IoT Hub. That could be potentially quite a lot of people on your org who do have a need to access the registry - even though they might not have a need to read the secret. But you could not distinguish their permissions. So if you have more people who need access to the registry than people who should have access to the secret, again it's a no.
• Any access from the device to the IoT Hub to read the twin is always over SSL encrypted. So from that point of view it should be ok.
• The devices might not assume that their twin is something very sensitive and not handle that appropriately. So you need to make sure that they are, and not for example, storing their device twin in plain text on their local disk.

If you understand all those points for your scenario - and you are aware of any security implications - then I would say you can store sensitive values in the twin. (That is of course assuming that we are not talking about the master keys to your company etc...)