Read time: 5 min
- Secret Management
The Azure Key Vault service can be used to securely store and control access of secrets, such as authentication keys, storage account keys, passwords, tokens, API keys, .pfx files, and other secrets.
- Key Management
The Azure Key Vault service can be used to manage the encryption keys for data encryption.
- Certificate Management
The Azure Key Vault service enables you to provision, manage, and deploy SSL/TLS certificates seamlessly for use with Azure integrated services.
- Standard Tier
Uses Software vaults for storing and managing cryptographic keys, secrets, certificates and storage account keys. This is compliant with FIPS 140-2 level 2 (vaults).
- Premium Tier
Uses a Managed HSM Pool for storing and managing HSM-backed cryptographic keys. This is compliant with FIPS 140-2 level 3 (managed HSM pools).
Terminology used in Azure Key Vault:
Ways to access Keys and Secrets in a Key Vault:
- To access the keys/secrets, users/applications must have the valid Azure Active Directory token representing the Security Principal with the appropriate permissions of the target Key Vault.
Users/applications can use REST-based APIs or Windows PowerShell to retrieve secrets and Keys (public keys only) from the Key Vault.
Steps to authenticate an application with the Key Vault:
- The application which needs authentication is registered with Azure Active Directory as a Service Principal.
- The key Vault Owner/Administrator will then create a Key Vault and then attaches the ACLs (Access Control Lists) to the Vault so that the Application can access it.
- The application initiates the connection and authenticates itself against the Azure Active Directory to get the token successfully.
- The application then presents this token to the Key Vault to get access.
- The Vault validates the token and grants access to the application based on successful token verification.
Benefits of using Azure Key Vault:
- As the keys saved in vault will be served via URIs, this avoids the risk of accidental exposure and storage of keys in non-secure locations.
- By design, even the vendor (Microsoft) can’t extract or see customer keys, hence, its fully protected at the vendor level too.
- If your organization needs security compliance while requiring the Key Vault, Azure Key Vault is a good option, as the Key Vault service is FIPS 140-2 Level 2 (Vault) / FIPS 140-2 Level 3 (Managed HSM Pools) compliant.
- Key usage details are logged, so the log data can be used for audit purpose in case of any key compromise situation.