Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to control access to tightly, such as API keys, passwords, certificates, or cryptographic keys.
Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services. Azure Key Vault provides two types of containers:
Vaults for storing and managing cryptographic keys, secrets, certificates, and storage account keys.
Managed HSM pool for storing and managing HSM-backed cryptographic keys.
Azure Key Vault helps solve the following problems:
Secrets Management
Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets
Key Management
Azure Key Vault can be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data.
Certificate Management
Azure Key Vault lets you easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and your internal connected resources.
Key Vault features
Increase security and control over keys and passwords
Create and import encryption keys in minutes
Applications have no direct access to keys
Use FIPS 140-2 Level 2 and Level 3 validated HSMs
Reduce latency with cloud scale and global redundancy
Simplify and automate tasks for SSL/TLS certificates
Key Vault Functions
Key Management Service
Create and control encryption keys that encrypt your data.
Secrets Management Service
Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Certification Management
Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
Service with FIPS 140-2 validated HSMs
Use either software or FIPS 140-2 Level 2 validated HSMs to help protect secrets and keys.
Key Vault Authentication
To do any operations with Key Vault, you first need to authenticate to it. There are three ways to authenticate to Key Vault:
Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn't managing the rotation of the first secret. Azure automatically rotates the identity. We recommend this approach as a best practice.
Service principal and certificate: You can use a service principal and an associated certificate that has access to Key Vault. We don't recommend this approach because the application owner or developer must rotate the certificate.
Service principal and secret: Although you can use a service principal and a secret to authenticate to Key Vault, we don't recommend it. It's hard to automatically rotate the bootstrap secret that's used to authenticate to Key Vault.
Key Vault Network Security
You can reduce the exposure of your vaults by specifying which IP addresses have access to them. The virtual network service endpoints for Azure Key Vault allow you to restrict access to a specified virtual network
Azure Private Link Service enables you to access Azure Key Vault and Azure-hosted customer/partner services over a Private Endpoint in your virtual network.
Key Vault Monitoring
An interesting feature with Azure Key Vault is to build alerts on specific patterns.
We can configure alerts via the following:
Built-in alerts blade
Azure Log Analytics
Key vault backup and Recovery
Azure Key Vault soft-delete and purge protection allows you to recover deleted vaults and vault objects. It allows us to back up and restore the key, certificate, and password to the same key vault.
Comments