What Is Key Vault
What Is Key Vault
What Is Key Vault
com/en-us/azure/key-vault/general/overview
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you
want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Vaults
support storing software and HSM-backed keys, secrets, and certificates.
1. Secrets Management - Azure Key Vault can be used to Securely store and tightly control access
to tokens, passwords, certificates, API keys, and other secrets
2. Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key
Vault makes it easy to create and control the encryption keys used to encrypt your data.
3. Certificate Management - Azure Key Vault is also a service that lets you easily enroll, manage,
and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL)
certificates for use with Azure and your internal connected resources.
Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key
Vault greatly reduces the chances that secrets may be accidentally leaked. When using Key Vault,
application developers no longer need to store security information in their application.
For example, an application may need to connect to a database. Instead of storing the connection string
in the app's code, you can store it securely in Key Vault.
Your applications can securely access the information they need by using URIs. These URIs allow the
applications to retrieve specific versions of a secret. There is no need to write custom code to protect
any of the secret information stored in Key Vault.
Access to a key vault requires proper authentication and authorization before a caller (user or
application) can get access. Authentication establishes the identity of the caller, while authorization
determines the operations that they are allowed to perform.
Authentication is done via Azure Active Directory. Authorization may be done via Azure role-based
access control (Azure RBAC) or Key Vault access policy. Azure RBAC is used when dealing with the
management of the vaults and key vault access policy is used when attempting to access data stored in a
vault.
How to monitor access and use of the secrets?
Once you have created a couple of Key Vaults, you will want to monitor how and when your keys and
secrets are being accessed. You can monitor activity by enabling logging for your vaults. You can
configure Azure Key Vault to:
As a secure store in Azure, Key Vault has been used to simplify scenarios like:
Note: - Key Vault itself can integrate with storage accounts, event hubs, and log analytics.
Azure Key Vault is a tool for securely storing and accessing secret by ADE (Azure Disk Encryption).
A secret is anything that such as API keys, passwords, or certificates. This provides highly available and
scalable secure storage, as defined in Federal Information Processing Standards (FIPS) 140-2 Level 2
validated Hardware Security Modules (HSMs). Using Key Vault.
You keep full control of the keys used to encrypt your data, and you can manage and audit your key
usage.
Note: - Azure Disk Encryption requires that your key vault and your VMs are in the same Azure region;
this ensures that encryption secrets do not cross regional boundaries.
A Key Vault access policy determines whether a given service principal (an application or user group) can
perform different operations on Key Vault secrets (keys, and certificates).
Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of
permissions to a particular security principal.
Azure needs access to the encryption keys or secrets in your key vault to make them available to the VM
for booting and decrypting the volumes.