Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to control access to tightly, such as API keys, passwords, certificates, or cryptographic keys.

Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services. Azure Key Vault provides two types of containers:

• Vaults for storing and managing cryptographic keys, secrets, certificates, and storage account keys.

• Managed HSM pool for storing and managing HSM-backed cryptographic keys.

Azure Key Vault helps solve the following problems:

Secrets Management

• Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets

Key Management

• Azure Key Vault can be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.

Certificate Management

• Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.

Key Vault features

• Increase security and control over keys and passwords

• Create and import encryption keys in minutes

• Applications have no direct access to keys

• Use FIPS 140-2 Level 2 and Level 3 validated HSMs

• Reduce latency with cloud scale and global redundancy

• Simplify and automate tasks for SSL/TLS certificates

Key Vault Functions

Key Management Service

Create and control encryption keys that encrypt your data.

Secrets Management Service

Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Certification Management

Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.

Service with FIPS 140-2 validated HSMs

Use either software or FIPS 140-2 Level 2 validated HSMs to help protect secrets and keys.

Key Vault Authentication

To do any operations with Key Vault, you first need to authenticate to it. There are three ways to authenticate to Key Vault:

• Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn't managing the rotation of the first secret. Azure automatically rotates the identity. We recommend this approach as a best practice.

• Service principal and certificate: You can use a service principal and an associated certificate that has access to Key Vault. We don't recommend this approach because the application owner or developer must rotate the certificate.

• Service principal and secret: Although you can use a service principal and a secret to authenticate to Key Vault, we don't recommend it. It's hard to automatically rotate the bootstrap secret that's used to authenticate to Key Vault.

Key Vault Network Security

• You can reduce the exposure of your vaults by specifying which IP addresses have access to them. The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network

• Azure Private Link Service enables you to access Azure Key Vault and Azure-hosted customer/partner services over a Private Endpoint in your virtual network.

Key Vault Monitoring

An interesting feature with Azure Key Vault is to build alerts on specific patterns.

We can configure alerts via the following:

• Built-in alerts blade

• Azure Log Analytics

Key vault backup and Recovery

Azure Key Vault soft-delete and purge protection allows you to recover deleted vaults and vault objects. It allows us to back up and restore the key, certificate, and password to the same key vault.