Skip to content

How does Azure Key Vault help me secure my data?

Carmel Eve By Carmel Eve Software Engineer I
How does Azure Key Vault help me secure my data?

Azure Key Vault is a centralised service for storing sensitive application data.

Vaults

A key vault is a secure container for storing sensitive data. When moving to the cloud, security boundaries between different bits of sensitive data are important to preserve. Having multiple vaults to store this data allows you to logically isolate the sensitive data which you are storing.

The best hour you can spend to refine your own data strategy and leverage the latest capabilities on Azure to accelerate your road map.

Each key vault is a collection of cryptographic keys and cryptographically protected data (known as secrets). The key vault controls access to the keys and secrets.

Keys

A cryptographic key is designed for a single use case. For example you can store the asymmetric keys used for Azure RMS (which is the technology used in Azure Information Protection), or those used for SQL Server Encryption.

Once the keys have been added to the key vault, applications never have direct access to the keys. Instead they are used by invoking cryptographic methods on the key vault. Key vault performs the requested operation within its hardened boundary.

The keys which are added can be either a single instance or they can be versioned (with old versions of the keys being archived).

The keys can be protected in one of two ways:

Hardware protected keys

You can choose to protect the keys using hardware security modules (HSMs).

Hardware security modules are a physical devices which are used for protecting and managing keys.

HSM backed keys are locked inside of the boundary of the provided HSM. Any operations that need to happen using those keys are performed inside of those boundaries. So when you ask the key vault to decrypt/sign in with a key this operation will happen inside of the HSM boundary.

You can bring your own HSM, or you can use those provided by Azure Dedicated HSM service.

Software protected keys

Key vault can also generate and protect keys using software encryption algorithms. When using these software protected keys:

  • Keys are isolated from the applications in a container that you manage.
  • They are stored at rest encrypted with HSMs.
  • You can monitor the keys using Key Vault logs.

There are two main differences between hardware and software protected keys, and these are:

  1. The price - it is cheaper to use software protected keys than hardware protected keys.
  2. When the operations are performed, they are done using Azure compute services rather than within HSMs.

You choose the key generation type when you create the keys.

Different uses of key vault

Secrets management

You can store tokens, passwords, certificates, API keys, etc. securely within HSMs. Using the Key Vault you can control access to these secrets using access policies.

Key management

Key Vault provides a cloud based key management solution. Using this you can create and control keys used to encrypt data. You can then integrate other services with key vault and decrypt secrets without knowing the encryption keys.

Certificate management

Using Key Vault we can provision, manage and deploy public and private SSL/TLS certificates.

Managing access

There are two different levels of management:

  • Managing the Key Vault itself.
  • Access to the data contained in the Key Vault.

The creation of the key vault and other actions related to management are separate to storing and retrieving secrets. Access has two components:

  • Authentication - This is needed to identify the caller for operations.
  • Authorisation - Once a caller is identified, authorisation is used to determine what operations the caller can perform.

Azure Active Directory is used to authenticate users and applications which try to access the vault. This authentication is performed by the AAD tenant that the Key Vault is a part of. All users and apps must be known to Active Directory, anonymous access is not permitted.

Azure Weekly is a summary of the week's top Microsoft Azure news from AI to Availability Zones. Keep on top of all the latest Azure developments!

Management operations are controlled by RBAC. Creation and management are all controlled by RBAC roles. The storing and retrieving of secrets is managed via access policies. These access policies are assigned at certain scopes. You can assign an access policy where a user can e.g, get, list, create, update, decrypt keys. Similarly there are specific copes for managing secrets and certificates.

You can also restrict network access to the key vaults. You can restrict the endpoints to Azure Virtual Networks (AVNs), IP addresses, etc.

Best practices

There are a few best practices for managing sensitive data with Key Vault:

  • You should tightly control what users have access to. Human users having access to sensitive data is always a security risk.
  • Access should only be given at specific scopes.
  • You should store all certificates in the Key Vault.
  • You should ensure that you can recover if the Key Vaults should get deleted/corrupted.

Also worth reading:

Using Azure Key Vault for Encryption in C# - A Simple Tutorial

Using Azure Key Vault for Encryption in C# - A Simple Tutorial

Ed Freeman

Learn to encrypt data in your app using C# and Azure SDK libraries, and secure keys with Azure Key Vault. Discover the easy setup process in this blog.
Adventures in Dapr: Episode 2 - Azure Key Vault

Adventures in Dapr: Episode 2 - Azure Key Vault

James Dawson

Explore DAPR's role in migrating workloads to cloud services, focusing on integrating Azure Key Vault for secrets management.
Adventures in Dapr: Episode 3 - Azure Storage Queues

Adventures in Dapr: Episode 3 - Azure Storage Queues

James Dawson

If you're interested in the Distributed Application Runtime (Dapr) and how it can simplify migrating existing workloads to use cloud platform services, then this series might be for you. In this post, we continue modifying the excellent Dapr Traffic Control sample application by swapping the MQTT-based messaging with Azure Storage Queues. We will also look at how you can use the Dapr programming model as an alternative to cloud-provider SDKs.

Carmel Eve

Software Engineer I

Carmel Eve

Carmel is a software engineer and LinkedIn Learning instructor. She worked at endjin from 2016 to 2021, focused on delivering cloud-first solutions to a variety of problems. These included highly performant serverless architectures, web applications, reporting and insight pipelines, and data analytics engines. After a three-year career break spent travelling around the world, she rejoined endjin in 2024.

Carmel has written many blog posts covering a huge range of topics, including deconstructing Rx operators, agile estimation and planning and mental well-being and managing remote working.

Carmel has released two courses on LinkedIn Learning - one on the Az-204 exam (developing solutions for Microsoft Azure) and one on Azure Data Lake. She has also spoken at NDC, APISpecs, and SQLBits, covering a range of topics from reactive big-data processing to secure Azure architectures.

She is passionate about diversity and inclusivity in tech. She spent two years as a STEM ambassador in her local community and taking part in a local mentorship scheme. Through this work she hopes to be a part of positive change in the industry.

Carmel won "Apprentice Engineer of the Year" at the Computing Rising Star Awards 2019.