Azure Key Vault

Azure Key Vault is a cloud-based service for securely storing and managing cryptographic keys, secrets, and certificates, enabling developers to protect sensitive data and ensure controlled access to their applications and services.

Azure Key Vault is a managed service provided by Microsoft Azure that helps organizations securely store and manage sensitive information, such as cryptographic keys, secrets, and certificates. It protects sensitive data and enhances access control in cloud-based applications and services.

Key features of Azure Key Vault include:

  • Centralized storage: It provides a centralized and secure location to store secrets, cryptographic keys, and certificates, making it easier to manage and maintain them throughout their lifecycle.
  • Access control: Azure Key Vault integrates with Azure Active Directory (AD). This allows organizations to define granular access policies for individual users or applications, ensuring only authorized entities can access the stored data.
  • Secure communication: Data stored in the Key Vault is encrypted using industry-standard algorithms, and communication between the Key Vault and client applications is secured using Transport Layer Security (TLS).
  • Auditing and monitoring: Azure Key Vault provides logging and monitoring capabilities, allowing organizations to track access and usage patterns, detect anomalies, and comply with regulatory requirements.
  • Integration with other Azure services: Key Vault can be easily integrated with various Azure services, such as Azure Functions, App Service, and Azure DevOps, enabling developers to store and retrieve secrets without hardcoding them in their applications.

Enabled for deployment (VM)

This applies to VM access

When deploying Azure Virtual Machines, you can use the Key Vault to store and manage secrets, such as passwords and certificates, required during the VM deployment process. You would configure access policies within the Key Vault to grant the necessary permissions to the

Enabled for template deployment (IaC)

This appliesto IaC tools such as ARM, Terraform, or Bicep.

This setting allows IaC tools like ARM templates, Bicep, and Terraform to access and use secrets stored within the Key Vault during deployment processes. By enabling the Key Vault for template deployment, you can securely access secrets without having to hardcode them in the templates or store them in less secure locations.

To enable access to Key Vault secrets during deployment, you need to grant specific permissions to the managed identity associated with the deployment process. This can be done by adding an access policy to the Key Vault, specifying the managed identity, and granting the necessary permissions, such as “get” and “list” for secrets.

By enabling Key Vault for deployment, you can enhance the security of your infrastructure deployment process and ensure that sensitive data is protected and accessed only by authorized entities.

managed identities or service principals associated with the VM deployment.

Enabled for disk encryption

A setting that allows the Key Vault to store and manage encryption keys used for Azure Disk Encryption (ADE).

Azure Disk Encryption is a feature that helps protect and safeguard your data by encrypting virtual machine (VM) disks, including the operating system disk and any data disks.

To enable this feature, you must grant specific permissions to the Azure Disk Encryption Service Principal, a managed identity associated with the disk encryption process. You can do this by adding an access policy to the Key Vault, specifying the Azure Disk Encryption Service Principal, and granting the necessary permissions, such as “get,” “wrapKey,” and “unwrapKey” for keys.

Enabling a Key Vault for disk encryption ensures that the encryption keys are securely stored and managed, and only authorized services, like the Azure Disk Encryption service, can access and use these keys. This adds an extra layer of security to your VM disks, helping you protect sensitive data and meet compliance requirements.

Authorization - access policy or RBAC

Azure Key Vault has two methods for managing access and authorization: Access Policies and Role-Based Access Control (RBAC). Both ways serve different purposes and use cases. Access policy is the default and enabling RBAC disables access policy

Access Policies:

Scope: apply specifically to the data plane of Azure Key Vault, controlling access to keys, secrets, and certificates stored within the vault.

Permissions: allow fine-grained permissions for individual keys, secrets, and certificates, such as get, list, set, and delete.

Limitations: limit of 1,000 policy entries per Key Vault. Additionally, they don’t support Azure AD groups or conditional access policies.

Role-Based Access Control (RBAC):

Scope: manage access for the management plane (vault management) and the data plane (keys, secrets, and certificates) of Azure Key Vault.

Permissions: built-in roles, such as Key Vault Administrator, Key Vault Reader, and other specific roles for keys, secrets, and certificates. Custom roles can also be created.

Flexibility: supports Azure AD groups, managed identities, and conditional access policies, offering more flexibility in access management.

Why choose one over the other?

Access Policies are best suited for scenarios where you need fine-grained control over individual keys, secrets, or certificates within the Key Vault. Access policies provide more granular permissions for specific operations on each type of Key Vault object.

RBAC is the recommended method for managing access to Azure Key Vault, as it offers greater flexibility and alignment with other Azure services. RBAC supports Azure AD groups, managed identities, and conditional access policies. Additionally, RBAC can be used for both the management and data planes, simplifying access management across your Azure resources.

Consider using RBAC for access management in Azure Key Vault, as it is more versatile and in line with best practices for Azure resource access management. However, access policies may be more appropriate if your use case requires fine-grained control over individual keys, secrets, or certificates.

Data recovery

Azure Key Vault provides various data recovery options to help protect your keys, secrets, and certificates from accidental deletion or unwanted modification. Here are the primary data recovery options available:

Soft-delete: when enabled, retains deleted keys, secrets, and certificates for a specified retention period (by default, 90 days). During this period, you can recover the deleted objects; after the retention period, the objects are permanently deleted. This feature is enabled by default, and the ability to disable it has been deprecated.

Purge protection: prevents permanently deleting keys, secrets, and certificates from a Key Vault until the purge protection period has passed. This feature is typically used in combination with soft delete. When purge protection is enabled, even users with purge permissions cannot permanently delete objects before the end of the retention period. To enable purge protection, set the enablePurgeProtection property to true when creating or updating the Key Vault.

Backup and restore: Azure Key Vault allows you to create backups of keys, secrets, and certificates. You can store these backups as encrypted files in a secure location, such as Azure Blob Storage. In case of accidental deletion or unwanted modification, you can restore the backed-up objects to the same Key Vault or a different one. Backup and restore operations can be performed using Azure PowerShell, Azure CLI, or Key Vault SDKs.

Versioning: Azure Key Vault automatically maintains versions of keys, secrets, and certificates. When you update a Key, secret, or certificate, a new version is created, and the previous version is retained. If an unwanted modification occurs, you can revert to a previous version. Each version has a unique identifier, allowing you to reference and manage specific versions of your keys, secrets, and certificates.

Pricing

Azure Key Vault pricing is based on two main factors: the number of operations performed and the type of key used (software-protected or hardware security module (HSM)-protected keys).

Transactions: Azure Key Vault charges you for the number of operations performed, such as creating, retrieving, or updating keys, secrets, and certificates. Operations are billed in predefined units, with a specific price per 10,000 transactions. Key storage and usage: The type of key you use (software-protected or HSM-protected) also affects the pricing. Software-protected keys are more cost-effective, while HSM-protected keys provide a higher level of security and are billed at a higher rate. The charges for HSM-protected keys include a fixed monthly fee per key and a separate fee per 10,000 operations.

Additionally, Azure Key Vault offers a premium tier called “Managed HSM,” which provides dedicated, single-tenant hardware security modules designed for highly regulated industries and applications with stringent security requirements. The pricing for Managed HSM is based on a fixed monthly fee, along with charges for operations.

References

Key Vault pricing

Last modified July 21, 2024: update (e2ae86c)