Azure Key Vault Concepts

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

Key Vault allows you to centralize your secrets management, separate secrets from your code, and implement granular access policies.

Key Vault Objects

Key Vault stores secrets in the form of objects. There are three types of objects supported by Key Vault:

1. Secrets

A secret is a value that can be represented as a string, such as an API key, a connection string, a password, or a certificate.

Secrets are stored as key-value pairs. The value can be up to 4 KB in size.

Example of a secret value:

{"connectionString": "Server=tcp:myserver.database.windows.net,1433;Database=mysqldatabase;User ID=mylogin@myserver;Password=myPassword;Trusted_Connection=False;Encrypt=True;Connection Timeout=30;"}

2. Keys

A cryptographic key is a key used for encryption and decryption operations. Key Vault supports two types of keys:

  • Software-backed keys: Keys are generated and stored in software.
  • Hardware Security Module (HSM)-backed keys: Keys are generated and stored in a FIPS 140-2 Level 2 validated HSM.

Key Vault supports two key types:

  • RSA keys: Used for encryption, decryption, signing, and verification.
  • Elliptic Curve Cryptography (ECC) keys: Offer equivalent security with smaller key sizes.

3. Certificates

An Azure Key Vault certificate is a collection of identity and security credentials that can be used by an application or service to authenticate itself to other services or to encrypt and sign data.

Certificates in Key Vault are essentially a managed secret that contains a private key and a public certificate. Key Vault can manage the lifecycle of the certificate, including renewal.

Key Vault uses JSON Web Key (JWK) to represent cryptographic keys.

Key Vault Operations

Key Vault provides the following core operations:

  • Key Management: Create, import, and manage cryptographic keys.
  • Secret Management: Create, import, and manage secrets like passwords and connection strings.
  • Certificate Management: Create, import, and manage TLS/SSL certificates.
  • Access Policies: Define granular permissions for identities to access Key Vault objects.
  • Key Vault Logs: Audit logs for all operations performed on Key Vault.

Key Vault Security Model

Key Vault employs a robust security model to protect your sensitive information:

  • RBAC (Role-Based Access Control) and Access Policies: Control who can perform what actions on Key Vault resources.
  • HSM Backing: For enhanced security, keys can be protected by FIPS 140-2 Level 2 validated Hardware Security Modules (HSMs).
  • Auditing: Comprehensive logging of all Key Vault operations for security monitoring and compliance.
  • Data Encryption: Data stored in Key Vault is encrypted at rest.

Use Cases

Azure Key Vault is ideal for scenarios such as:

  • Storing and managing secrets for cloud applications.
  • Managing TLS/SSL certificates for web services.
  • Protecting cryptographic keys used for data encryption.
  • Securing API keys and service principal credentials.
Consider using Key Vault to abstract secrets away from your application code for improved security and manageability.