Introduction

Key Vault

Azure Key Vault is a cloud service used to manage keys, secrets, and certificates. Key Vault eliminates the need for developers to store security information in their code. It allows you to centralize the storage of your application secrets which greatly reduces the chances that secrets may be leaked. Key Vault also allows you to securely store secrets and keys backed by Hardware Security Modules or HSMs. The HSMs used are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated. In addition, key vault provides logs of all access and usage attempts of your secrets so you have a complete audit trail for compliance.

Also Key Vault enables subscribers to safeguard and control cryptographic secrets & keys used by Cloud Services and Apps.

For Pricing Please go through Key Vault Pricing

Key Types

Soft Key : Key Processed by Software by Key Vault and it is encrypted using a system key which is in an HSM (Hardware Security Module)

Hard Key : Key Processed in an HSM, these are protected in one of the Key Vault HSM security World (Available one security world per geography to maintain isolation).

Customer / Clients may also ask key vault to generate a key.

Key Vault Objects

Keys

RSA Key: RSA Sizes 2048. 3072 & 4096

EC Key: P-256, P-384, P-521 and P-256K (SECP256K1)

Secrets

Password for PFX files

Storage Account Access Keys

Certificates

Can generate and X.509 certificate and can manage life cycle management.

Note:

It does not issue or resell certificates from Public Cas.

It Just automates Life cycle management, enrollment and renewal of certificates from Public Cas.

Keys:

Key Operations

Key Vault supports the below operations

Backup

Create

Delete

Get

Import

List

List Versions

Restore

Update

Creating Key Vault

Login Azure Portal

Go to Services

Under Security Category – Click Key Vault

Click Create Key Vault

Here we need to provide the necessary information per your requirement.

Also note at Pricing Tier we have two options

Standard

Premier (Includes support for HSM backed keys).

Note: Based on your requirement you can enable Purge Protection by default it will be in Disabled State.

Do not directly go for Review + Create.

Access Policy

 Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication.  However, not all Azure services support Azure AD authentication. To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the VM’s managed identity to access Key Vault to retrieve the credentials. 

First, we need to create a Key Vault and grant our VM’s system-assigned managed identity access to the Key Vault.

Go to Access Policy to

Enable Access to Azure VM, Resource Manager and Disk encryption for Volume encryption.

Also you can define your policies for Key Secrets and Certificates.

For our project we are taking default values.

Next go with Networking

Network connectivity

You can connect to this key vault either publicly, via public IP addresses or service endpoints, or privately, using a private endpoint.

We are considering and taking this also as Default which is Public endpoint (all networks). You can proceed based according to your requirement.

Next Tags

Provide Name and Value based on your requirement.

Click Review and Create.

Click Create

Key Vault is created with Resource Group, Location, Tags you assigned.

Click Name (Techrid-KeyVault-IT)

Click Keys

And click generate/Import

This will land you to create a Key and provide details based on your requirement.

While setting Activation Date it will take current time and expiration date by default is 2 years so we are taking this as default and this can be changed based on your requirement.

Click Create.

Key got created.

Creating Secrets

Click Secrets and Click Generate/Import

Secrets got created

If any other Admin want to view the secrets and Tag application to this secrets. Then click on Name Secrets

Click Tag and assign.

If want to view secrets then click “Show secret value”

Moving Key Vault to another subscription and Resource Group

In case if you want to Move this Key vault to

Another Subscription

Another Resource Group

Then click Move

Note:

While moving this Key Vault to another Subscription then make sure you already have Resource group to place this Key Vault. And scripts associated will not work until you update them to use new resource IDs

While moving to another Resource Group that tools and scripts associated with moved resources will not work until you update them to use new resource IDs.

Thanks,

Praveen Kumar

MCSE – Cloud Platform and Infrastructure