Understanding Azure Key Vault: A Practical Yet Simple Guide

What is Azure Key Vault used for?

Now, one of the questions that lingers on your mind is: “Why would we store these things specifically in a Key Vault?.”

Put simply, we must store our keys safely to keep data secure ensuring only authorised users and processes can decrypt and access sensitive information.

Azure Key Vault is used for:

• Key management
• Certificate management 
• Secret management
• Storing secrets supported by hardware models (HSMs) 

Besides, it is highly integrated with other Azure services such as virtual machines (VMs), Logic Apps, Data Factory, Web Apps, etc.

That said, let us go over the basics stuff stored in the key vault.

Understanding Keys, Certificates, Secrets

To understand how Azure Key Vault works, we must discuss what it aims to do. Azure Key Vault lets us store and retrieve 3 types of sensitive information:

• Keys: A secure place to store cryptographic keys used for encryption and decryption.
• Certificates: Used for cryptographic authentication, such as accessing third-party services.
• Secrets: These include passwords, connection strings, and similar credentials.

Keys Explained

When we talk about keys, we refer to those used in cryptography, such as:

• Private Key: Known only to the issuer (the person or application that creates or uses it) and used for decryption and signing.
• Public-Private Key Pair: A pair of keys that can securely identify users and applications, allowing them to authenticate and access resources. The public key is shared openly, while the private key is kept secret.
• Public Key Infrastructure: A framework that uses cryptographic keys for secure communication and authentication.

A key is crucial to cryptographic communication, specifically within Public Key Infrastructure (PKI). 

How it works? 

A key is a file or a string of text that encrypts and decrypts data. Think of it as a literal and figurative key that unlocks encrypted information, making it accessible (unencrypted) only to those with the correct key. This can include API keys or service keys for securely interacting with applications.

Certificates Explained

Unlike keys, certificates are primarily about proving identity and enabling secure communication. They act as digital IDs, verifying identity and ensuring secure interactions between applications, services, and users.

Certificates are complex cryptographic objects used for:

• Authentication: Authenticate an application or user to another system.
• Encryption and Decryption: Encrypt and decrypt data based on identity.
• Secure Communication: Ensure secure communication by signing the communication, ensuring it has not been tampered with and originates from a trusted source.

Secrets Explained

Secrets are passwords, or any long string of information stored as text. They can include API keys, encryption keys, connection strings, and even certificates formatted as text.

Secrets function as credentials, allowing systems to authenticate or encrypt communications. They are commonly used to store sensitive data or enable encrypted communication between network devices.

Storage Containers in Azure Key Vault

We can find two types of Azure Key Vault that can be deployed:

• Standard Key Vault
• Managed HSM Pools (Hardware Security Module Pools)

Standard Key Vault

A Standard Key Vault is a multi-tenant managed service in Microsoft Azure. This means that while your Key Vault is dedicated to you, it coexists with other tenants on Microsoft's infrastructure. When choosing vaults as a container type, your data will be stored on a computer or hard disk. It provides basic security features but incurs some additional fees.

Managed HSM Pools

Alternatively, you can opt for Managed HSM modules as a container type. Microsoft maintains a pool of Hardware Security Modules to store information (secrets, keys, certificates).

HSM, short for Hardware Security Module, is a hardware device managed by Azure where information is stored. Rather than storing them on a computer, they are stored in a special device designed to protect these kinds of information. They are more secure than software-based storage, since keys never leave the hardware module. This makes them ideal for environments with high-security demands.

Note the following:

• Within Standard Key Vault, you can store both normal keys and HSM-backed keys.
• Within Managed HSM Pools, you can only store HSM-backed keys (software-based keys cannot be stored there).

Authentication in Azure Key Vault

To use Azure Key Vault, you first need to authenticate to it. This is done by connecting the application via Microsoft Entra ID (formerly Azure Active Directory).

Communication Flow:

• The communication flow is bi-directional, with requests passing from the application to Key Vault.
• Authentication is managed through Entra ID.

The visual below illustrates the authentication process further:

By setting this up, the application can securely identify itself, retrieve the necessary resources, and interact with users when delivering services.

Authorisation in Azure Key Vault

On the other hand, authorisation can be managed through either:

• Azure role-based access control (RBAC)
• Key Vault access policies

The first is Key Vault access policies. In simple terms, Key Vault controls who or what (applications, IPs, or entities) can access specific resources with specific permissions. 

Access policies are limited to controlling access to the data only within Azure Key Vault. In other words, you cannot control access to Key Vault itself. In case you want to allow someone to manage the Key Vault, you cannot do that with access policies. For that, you need to use Azure Role-based access control (RBAC). 

With Azure RBAC, you can control:

• Access to the data within Key Vault
• Manage access to Key Vault itself

When a user or application requests access to a key, Key Vault does not decide directly. Instead, it delegates the request to Microsoft Entra ID, which checks Role-Based Access Control (RBAC) to determine whether the user has the necessary permissions to access the requested resource.

RBAC acts as both a control and data layer, managing access to the data within Key Vault and controlling access to Key Vault itself.

Because access policies are now seen as legacy, we recommend using RBAC.

Safety and recovery features in Azure Key Vault

Deleting an encrypted storage account is about as bad as it gets. Without key, your data encryption key is locked up too – which means data is lost.

That’s why there are two key settings you must be aware of:

• Soft Delete
• Purge Protection

Soft Delete

When soft delete is turned on, you can restore items even if you accidentally delete them. If you delete a Key Vault, or any keys, secrets, or certificates inside it, they remain in a soft deleted state for a configured retention period (up to 90 days, with a minimum of 7 days). This prevents accidental deletions of important data.

If you created a Key Vault in the past, soft delete may not have been enabled. However, all newly created Key Vaults will always have soft delete turned on.

But if exploited, soft delete alone may not be enough: an item could still be purged before recovery is possible. Therefore, you also need to consider purge protection.

Purge Protection

Purge protection adds an extra layer of security on top of soft delete. It prevents items from being permanently deleted before the retention period expires.

For example, if the retention period is 90 days:

• Without Purge Protection: you can manually purge a soft-deleted key at any time within 90 days.
• With Purge Protection enabled: you must wait until the full 90-day retention period is over before it can be permanently deleted.

By default, purge protection is disabled. But when you enable purge protection, it cannot be bypassed. This ensures that even if an attacker or user tries to purge a deleted key, they will not be able to do so until the retention period expires.

Azure Key Vault Benefits

Why use Azure Key Vault? Well, it expands the ability to offer secure services, whether for internal users or external customers needing these services. You need to ensure sensitive information is stored securely.

Better yet, there are more benefits Key Vault brings to the table:

Seamless Integration with Azure Services

Azure Key Vault is highly integrated with other Azure services and provides multiple ways to connect and manage your application information securely. It works with virtual machines (VMs), Logic Apps, Data Factory, Web Apps, and more.

Centralised Secret Management

One of Azure Key Vault's biggest perks is centralisation. Multiple services can store their application secrets all together in one place. For example, if Logic Apps and Data Factory need to connect to the same SQL server, they can both store their connection details in Azure Key Vault. Alongside that, a single certificate can be used across all components of an application.

Easy Secret Updates

When you change an object in Key Vault, every connected service (Logic Apps, Data Factory, etc.) uses the updated value automatically. This can be a keen advantage, especially for large-scale applications.

Monitoring and Logging

Azure Key Vault comes with built-in monitoring and logging features. Every access attempt is logged, allowing you to see exactly who accessed what and when.

Scalability

No matter how many requests hit Key Vault, it doesn’t break a sweat. Whether a single service or dozens request secrets at once, it keeps up.

Simplicity

Managing sensitive data is complex, and organisations need streamlined solutions that integrate security without adding overhead. Azure Key Vault makes security management a whole lot easier, removing the need for in-house HSM expertise, as Azure takes care of it. Additionally, because security policies apply across applications, custom coding is reduced, as well as the chance of human error. And with automated key rotation and certificate renewal, you’ll have less manual work – with and fewer errors.

DevOps and IoT Integration

Azure Key Vault simplifies key and secret management for both DevOps and IoT environments:

• DevOps Tools: Works with tools like Azure DevOps and Jenkins to securely store credentials, API keys, and certificates.
• IoT Devices: Manages keys and secrets for IoT devices and applications, ensuring secure communication and authentication.

Azure Key Vault Pricing: How Much Does it Cost?

So, it’s all great what Azure Key Vault offers. Still, the price tag of a cloud service is often a dealbreaker for many… which is why we cannot skip the question: “How much does Azure Key Vault cost?”
 
Let’s demonstrate it with an easy example using the Azure Pricing Calculator.

Azure Key Vault comes with two service tiers (or SKUs):

• Standard
• Premium

The table below breaks down Key Vault pricing for West Europe:

Software-protected keys

If you want to use Managed HSM Pools, you must go for the Premium pricing tier (they aren’t available in the Standard pricing tier). But the standard tier will be sufficient for most use cases. 

HSM-protected keys

That being said, let’s go into more detail with an example:

Example

Let’s say that your machine learning team has an AI model training pipeline that processes sensitive datasets from multiple sources (cloud storage, APIs, databases) and performs secure encryption and decryption operations. 

Each week, the pipeline executes:

• 200,000 read operations: Fetching secrets from Azure Key Vault.
• 80,000 write operations: Storing new secrets in Azure Key Vault.
• 5,000 advanced key operations: Generating new cryptographic keys for encrypting and decrypting datasets.

Cost Calculation

• Read Operations Cost
  Cost per 10,000 secret read operations = $0.03
  Total cost for 200,000 secret read operations = $0.03 × 20 = $0.60
• Write Operations Cost
  Cost per 10,000 secret write operations = $0.03
  Total cost for 80,000 secret write operations = $0.03 × 8 = $0.24
• Key Operations Cost
  Cost per 10,000 key operations = $0.15
  Total cost for 5,000 key operations = $0.15 × 0.5 = $0.075

Total Weekly Cost

Total Monthly Cost (4 Weeks): $3.66 ($0.915 × 4)

Note: This estimate is based on Standard Azure Key Vault pricing. Using HSM-protected keys will result in higher costs.

The example above is based on a specific use case to show you how costs are incurred. Actual costs may vary depending on region, pricing tier, applicable discounts, or agreements.

Use Cases of Azure Key Vault

1. Disk Encryption

One of the most common scenarios in Azure is building infrastructure, which often involves creating virtual machines and disks. These disks store both the operating system and application data, all of which need to be encrypted. This encryption ensures that if someone obtains a copy of a disk, they cannot decrypt its contents without having the associated encryption key.

By default, Azure provides platform-managed encryption keys, meaning all disks in Azure are automatically encrypted and managed by Microsoft. However, customers can elect to use their own keys for encryption and decryption. These are called encryption keys, which can be securely stored in Azure Key Vault.

2. Managing Secrets in Azure

Azure Key Vault isn’t just for disk encryption. Consider a web app connecting to an SQL database – it would need to store connection details (server address, username, and password). This type of sensitive information is known as application secrets. Azure Key Vault provides a secure way to store and manage these secrets, making it easy for applications to access them securely.

Many Azure services and SDKs integrate with Key Vault, allowing developers to store secrets without writing extra code. In fact, some Azure solutions provide Key Vault integration without requiring any code at all.

3. Certificates for Secure Communication

If your web application serves content over HTTPS (as it should), it needs certificates to encrypt traffic between the web server and users. Azure Key Vault can store and manage these certificates, ensuring secure communication.

How to use Azure Key Vault?

To use Azure Key Vault, you need an active Azure subscription and the right permissions to create and manage resources.

Create a Key Vault

Step 1: Go to the Azure Portal

• Log in to the Azure portal.
• Click "Create a resource".
• Select "Key Vault" from the list of services.

Step 2: Select Key Vault

• Click on Key Vaults
• If it doesn’t appear, search for Key Vaults in the search bar

Step 3: Configure and Create Your Key Vault

• Enter a unique name for your Key Vault.
• Select your subscription, resource group, and region.
• Choose a pricing tier (Standard or Premium) and configure any advanced settings as needed.
• Click "Create" to deploy your Key Vault.

Step 4: Choose the number of retention days and enable purge protection (optional, recommended)

• Next up, we’ve got to choose the number of days to retain deleted vaults (min. 7 days and max. 90 days).
• Enable purge protection to enforce a mandatory retention period for deleted vaults and vault objects
• Then click on next to configure access

Step 5: Configure access

• Choose either Azure role-based access control RBAC (recommended) or the Vault access policy.

Step 6: Select Networking option

• Decide to allow access either from all networks or selected networks
• Optionally, you can choose to use a private endpoint for a more secured connection

Step 7: Create Tags (optional, recommended)

You can create tags which help organise and categorise resources for better management and cost tracking.

Create and manage cryptographic assets

Once your Key Vault is set up, you can start managing keys, secrets, and certificates. This can be done using the Azure portal, PowerShell, or Azure CLI.

To create a new cryptographic asset:

• Log in to the Azure portal.
• Navigate to your Key Vault.
• Select the type of cryptographic asset you want to create (keys, secrets, or certificates).

From here, you can configure, update, and manage these assets as needed.

• Click "Create" and follow the prompts to configure the asset’s settings, such as name, algorithm, expiration date, and other options.

Creating a secret

Step 1: Click on secrets

• Creating a secret is not much different to making a key. However, the part where you generate them is different.

• Now, you can either upload them manually or select the certificate option. When doing so, you must upload them in a file.
• Then, give it a name and set an activation and expiration date.

Best Practices for Azure Key Vault

Here are some best practices for using Azure Key Vault:

1. Turn on Soft Delete and Purge Protection to prevent deletions

Ensuring you have Soft Delete and Purge Protection in place puts you in an advantageous position. With those protections, accidental deletions are reversible. So long as retention settings are long enough, you’ll have time to recover anything before it causes real damage.

2. Backup Keys

As with many security incidents in the cloud, humans often account for a significant share. And that’s no different when it comes to data. Accidental deletion is among many of the human errors leading to data loss. Sometimes, it only takes a small act before things take a turn for the worse – someone clicks the wrong button, deletes the wrong secret, or runs a bad script… you name it.

Therefore, as best practice, back up your keys. And by keys, that means everything contained in the vault – secrets, certificates, and encryption keys. 

Whether it’s an insider threat or an external attack, backups give you a way to recover quickly if someone tampers with your keys. Afterall, you can never have too many backups.

3. Use Azure RBAC instead of Access Policies for better access control

When managing access to Azure Key Vault, always use RBAC (Role-Based Access Control) rather than vault-level access policies. But that’s not all: also follow the principle of “least privilege”. Meaning that, you should only grant access to what’s necessary, not give permissions beyond needs and restrict users to individual secrets instead of broad access.

The plus point of RBAC is that you can integrate it with MFA (Multi-Factor Authentication) and conditional access. This way, you can stack up your security layers on top of each other and control who can access what.

4. Combine RBAC with PIM (Privileged Identity Management)

Even better, would be setting up RBAC with PIM (Privileged Identity Management). This makes just-in-time access possible. What that means is administrators with heightened permissions must manually escalate before making any changes – reducing the risk of unneeded long-term access.

5. Audit Logs

Always keep audit logs enabled to track who is doing what with objects in the Key Vault. This is essential for monitoring access and detecting suspicious activity. Configure logging in Diagnostic Settings and send the logs to a central location where they can be used for insights and analysis. Ensure these logs have suitable RBAC restrictions to ensure they are protected from deletion.

6. Choose the Premium Tier if you need HSM for cryptographic operation.

The Premium tier is required for FIPS 140 HSM (Hardware Security Module), which provides higher security for cryptographic keys.

• Premium Tier: This tier provides higher security for cryptographic keys using HSM-backed keys. It is a multi-tenant service that offers FIPS 140-2 Level 3 validated HSMs
• Managed HSM: This is a separate service from Azure Key Vault Premium. Managed HSM is a fully managed, highly-available, single-tenant cloud service that uses FIPS 140-2 Level 3 validated HSMs 

7. Enable automatic key and secret rotation

Enhance security by regularly updating keys, secrets, and certificates. This practice minimises the risk of exposure due to outdated credentials, reduces the impact of compromised keys, and ensures compliance with security policies and regulations. 

By automating the rotation process, you can maintain a higher level of security without manual intervention.

Learn more about Azure Security Best Practices.