Manage access and permissions to secrets, certificates, and keys to Key Vault
- You control access to a key vault through two interfaces: the management plane and the data plane
- Management plane:
- Operations: create and delete vaults, update access policies, retrieve vault properties
- Authentication: Azure AD
- Authorization: RBAC
- Data plane:
- Operations: view and manage certificates, keys, and secrets
- Authentication: Azure AD
- Authorization: Key vault access policies
Manage certificates
Azure Key Vault–supported x509 certificate capabilities:
- Creation of certificates:
- Support for exportable and nonexportable private keys in PFX or PEM format
- Autogeneration of addressable key and secret associated with the certificate
- Secure storage and management without interaction with private keys
- Policy-based lifecycle management:
- Autogeneration of a default policy following certificate import (customers must definenew policies when creating certificates)
- Support for vault-level access control
- Auditing and notifications
- Support for certificate contacts
- Automatic renewal
Configure an HSM key-generation solution
- Primary characteristics of Azure hardware security modules:
- Comply with Federal Information Processing Standard (FIPS) 140-2 Level 2 security standard
- Host cryptographic material managed by Azure Key Vault
- Support cryptographic operations within the HSM boundaries
- Support secure transfer of existing keys in Bring Your Own Key (BYOK) scenarios
- Transferring HSM-protected keys:
- A customer generates a key in their on-premises environment
- The customer uses a target key vault to generate a nonexportable Key Exchange Key
- The customer encrypts the key with the Key Exchange Key and binds it to the vault by using an HSM-specific toolset
- The customer transfers the key into the key vault
Configure key rotation
- A key vault allows you to update keys and secrets without affecting the behavior of your application
- You can rotate secrets in several ways:
- As part of a manual process
- Programmatically by using REST API
- Through an Azure Automation script
Top comments (0)