Azure Key Vault
Updated: Mar 15
About Alif : Alif empowers Microsoft MSP-CSP partners to provide exceptional IT services to their clients to ensure that the partners reduce their costs and focus on their business. We provide white-labelled managed services for technologies like Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, Microsoft Security, SharePoint, Power Platform, SQL, Azure DevOps and a lot more. Our headquarter is in Pune, India whereas we work with over 50 partners across the globe that trust us with their client delivery.
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services. Azure Key Vault provides two types of containers:
Vaults for storing and managing cryptographic keys, secrets, certificates, and storage account keys.
Managed HSM pool for storing and managing HSM-backed cryptographic key.
Azure Key Vault helps solve the following problems:
Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
Key Management - Azure Key Vault can be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
Certificate Management - Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
Key Vault features –
Increase security and control over keys and passwords
Create and import encryption keys in minutes
Applications have no direct access to keys
Use FIPS 140-2 Level 2 and Level 3 validated HSMs
Reduce latency with cloud scale and global redundancy
Simplify and automate tasks for SSL/TLS certificates
Key Vault Functions –
Key Management Service – Create and control encryption keys that encrypt your data.
Secrets Management Service - Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Certification Management - Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
Service with FIPS 140-2 validated HSMs - Use either software or FIPS 140-2 Level 2 validated HSMs to help protect secrets and keys.
Key Vault Authentication
To do any operations with Key Vault, you first need to authenticate to it. There are three ways to authenticate to Key Vault:
Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn't managing the rotation of the first secret. Azure automatically rotates the identity. We recommend this approach as a best practice.
Service principal and certificate: You can use a service principal and an associated certificate that has access to Key Vault. We don't recommend this approach because the application owner or developer must rotate the certificate.
Service principal and secret: Although you can use a service principal and a secret to authenticate to Key Vault, we don't recommend it. It's hard to automatically rotate the bootstrap secret that's used to authenticate to Key Vault.
Key Vault Network Security –
You can reduce the exposure of your vaults by specifying which IP addresses have access to them. The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network
Azure Private Link Service enables you to access Azure Key Vault and Azure hosted customer/partner services over a Private Endpoint in your virtual network.
Key Vault Monitoring –
An interesting feature with Azure Key Vault is to build alert on specific patterns.
We can configure alerts via:
Built-in alerts blade
Azure Log Analytics
Key vault backup and Recovery -
Azure Key Vault soft-delete and purge protection allows you to recover deleted vaults and vault objects. Its allow us to backup and restore the key, certificate and password in same key vault.