Azure Key Vault is a cloud service used to manage keys, secrets, and certificates. Key Vault eliminates the need for developers to store security information in their code. It allows you to centralize the storage of your application secrets which greatly reduces the chances that secrets may be leaked. Key Vault also allows you to securely store secrets and keys backed by Hardware Security Modules or HSMs. The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. In addition, key vault provides logs of all access and usage attempts of your secrets so you have a complete audit trail for compliance.
Also Key Vault enables subscribers to safeguard and control cryptographic secrets & keys used by Cloud Services and Apps.
For Pricing Please go through Key Vault Pricing
Soft Key : Key Processed by Software by Key Vault and it is encrypted using a system key which is in an HSM (Hardware Security Module)
Hard Key : Key Processed in an HSM, these are protected in one of the Key Vault HSM security World (Available one security world per geography to maintain isolation).
Customer / Clients may also ask key vault to generate a key.
Key Vault Objects
RSA Key: RSA Sizes 2048. 3072 & 4096
EC Key: P-256, P-384, P-521 and P-256K (SECP256K1)
Password for PFX files
Storage Account Access Keys
Can generate and X.509 certificate and can manage life cycle management.
It does not issue or resell certificates from Public Cas.
It Just automates Life cycle management, enrollment and renewal of certificates from Public Cas.
Key Vault supports the below operations
Creating Key Vault
Login Azure Portal
Go to Services
Under Security Category – Click Key Vault
Click Create Key Vault
Here we need to provide the necessary information per your requirement.
Also note at Pricing Tier we have two options
Premier (Includes support for HSM backed keys).
Note: Based on your requirement you can enable Purge Protection by default it will be in Disabled State.
Do not directly go for Review + Create.
Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication. However, not all Azure services support Azure AD authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the VM’s managed identity to access Key Vault to retrieve the credentials.
First, we need to create a Key Vault and grant our VM’s system-assigned managed identity access to the Key Vault.
Go to Access Policy to
Enable Access to Azure VM, Resource Manager and Disk encryption for Volume encryption.
Also you can define your policies for Key Secrets and Certificates.
For our project we are taking default values.
Next go with Networking
You can connect to this key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint.
We are considering and taking this also as Default which is Public endpoint (all networks). You can proceed based according to your requirement.
Provide Name and Value based on your requirement.
Click Review and Create.
Key Vault is created with Resource Group, Location, Tags you assigned.
Click Name (Techrid-KeyVault-IT)
And click generate/Import
This will land you to create a Key and provide details based on your requirement.
While setting Activation Date it will take current time and expiration date by default is 2 years so we are taking this as default and this can be changed based on your requirement.
Key got created.
Click Secrets and Click Generate/Import
Secrets got created
If any other Admin want to view the secrets and Tag application to this secrets. Then click on Name Secrets
Click Tag and assign.
If want to view secrets then click “Show secret value”
Moving Key Vault to another subscription and Resource Group
In case if you want to Move this Key vault to
Another Resource Group
Then click Move
While moving this Key Vault to another Subscription then make sure you already have Resource group to place this Key Vault. And scripts associated will not work until you update them to use new resource IDs
While moving to another Resource Group that tools and scripts associated with moved resources will not work until you update them to use new resource IDs.
MCSE – Cloud Platform and Infrastructure