Azure Key Vault
A cloud service for securely managing keys, secrets, and certificates.
| Category | Secrets Management |
|---|---|
| This page updated | a month ago |
| Pricing Details | Pricing varies based on usage and selected tier (Standard or Premium). |
| Target Audience | Developers and IT professionals looking for secure key management solutions in Azure. |
Azure Key Vault manages securely managing and accessing sensitive data such as keys, secrets, and certificates in cloud environments. The service employs a robust technical architecture that includes two primary container types: key vaults and managed hardware security module (HSM) pools.
Key vaults support the storage of software-protected and HSM-backed keys, secrets, and certificates. Managed HSM pools, on the other hand, are limited to HSM-backed keys, ensuring that these sensitive items never leave the HSM boundary.
Authentication and authorization are crucial components of Key Vault's architecture. Users and applications must authenticate using Microsoft Entra ID, and authorization can be managed through either Azure role-based access control (Azure RBAC) or Key Vault access policies. Azure RBAC provides fine-grained control over data plane operations, allowing administrators to assign roles such as Key Vault Administrator, Key Vault Secrets User, and Key Vault Certificates Officer.
Operationally, Key Vault ensures high availability through automatic replication of vault contents within and across regions. It also simplifies administration by automating tasks like certificate enrollment and renewal, and integrating with other Azure services such as Azure Disk Encryption, SQL Server, and Azure App Service.
Key considerations include the distinction between the Standard and Premium tiers, with the latter offering HSM-protected keys for enhanced security. Additionally, logging and monitoring are essential, with options to archive logs to storage accounts, stream to event hubs, or send logs to Azure Monitor logs. This ensures that access and usage can be closely monitored and secured.
From a technical standpoint, objects in Key Vault are versioned, allowing for the retrieval of specific versions or the latest version of an object. The service supports multiple key types and algorithms, and it adheres to industry-standard cryptographic modules and HSMs validated by Federal Information Processing Standard 140.