Azure Key Vault is a centralised service for storing sensitive application data.
A key vault is a secure container for storing sensitive data. When moving to the cloud, security boundaries between different bits of sensitive data are important to preserve. Having multiple vaults to store this data allows you to logically isolate the sensitive data which you are storing.
Each key vault is a collection of cryptographic keys and cryptographically protected data (known as secrets). The key vault controls access to the keys and secrets.
A cryptographic key is designed for a single use case. For example you can store the asymmetric keys used for Azure RMS (which is the technology used in Azure Information Protection), or those used for SQL Server Encryption.
Once the keys have been added to the key vault, applications never have direct access to the keys. Instead they are used by invoking cryptographic methods on the key vault. Key vault performs the requested operation within its hardened boundary.
The keys which are added can be either a single instance or they can be versioned (with old versions of the keys being archived).
The keys can be protected in one of two ways:
Hardware protected keys
You can choose to protect the keys using hardware security modules (HSMs).
Hardware security modules are a physical devices which are used for protecting and managing keys.
HSM backed keys are locked inside of the boundary of the provided HSM. Any operations that need to happen using those keys are performed inside of those boundaries. So when you ask the key vault to decrypt/sign in with a key this operation will happen inside of the HSM boundary.
You can bring your own HSM, or you can use those provided by Azure Dedicated HSM service.
Software protected keys
Key vault can also generate and protect keys using software encryption algorithms. When using these software protected keys:
- Keys are isolated from the applications in a container that you manage.
- They are stored at rest encrypted with HSMs.
- You can monitor the keys using Key Vault logs.
There are two main differences between hardware and software protected keys, and these are:
- The price - it is cheaper to use software protected keys than hardware protected keys.
- When the operations are performed, they are done using Azure compute services rather than within HSMs.
You choose the key generation type when you create the keys.
Different uses of key vault
You can store tokens, passwords, certificates, API keys, etc. securely within HSMs. Using the Key Vault you can control access to these secrets using access policies.
Key Vault provides a cloud based key management solution. Using this you can create and control keys used to encrypt data. You can then integrate other services with key vault and decrypt secrets without knowing the encryption keys.
Using Key Vault we can provision, manage and deploy public and private SSL/TLS certificates.
There are two different levels of management:
- Managing the Key Vault itself.
- Access to the data contained in the Key Vault.
The creation of the key vault and other actions related to management are separate to storing and retrieving secrets. Access has two components:
- Authentication - This is needed to identify the caller for operations.
- Authorisation - Once a caller is identified, authorisation is used to determine what operations the caller can perform.
Azure Active Directory is used to authenticate users and applications which try to access the vault. This authentication is performed by the AAD tenant that the Key Vault is a part of. All users and apps must be known to Active Directory, anonymous access is not permitted.
Management operations are controlled by RBAC. Creation and management are all controlled by RBAC roles. The storing and retrieving of secrets is managed via access policies. These access policies are assigned at certain scopes. You can assign an access policy where a user can e.g, get, list, create, update, decrypt keys. Similarly there are specific copes for managing secrets and certificates.
You can also restrict network access to the key vaults. You can restrict the endpoints to Azure Virtual Networks (AVNs), IP addresses, etc.
There are a few best practices for managing sensitive data with Key Vault:
- You should tightly control what users have access to. Human users having access to sensitive data is always a security risk.
- Access should only be given at specific scopes.
- You should store all certificates in the Key Vault.
- You should ensure that you can recover if the Key Vaults should get deleted/corrupted.