DEV Community

Eng Soon Cheah
Eng Soon Cheah

Posted on • Updated on

Configure and manage Azure Key Vault

Manage access and permissions to secrets, certificates, and keys to Key Vault

  • You control access to a key vault through two interfaces: the management plane and the data plane
  • Management plane:
    • Operations: create and delete vaults, update access policies, retrieve vault properties
    • Authentication: Azure AD
    • Authorization: RBAC
  • Data plane: 
    • Operations: view and manage certificates, keys, and secrets
    • Authentication: Azure AD
    • Authorization: Key vault access policies

Manage certificates
Azure Key Vault–supported x509 certificate capabilities:
- Creation of certificates:
- Support for exportable and nonexportable private keys in PFX or PEM format
- Autogeneration of addressable key and secret associated with the certificate
- Secure storage and management without interaction with private keys
- Policy-based lifecycle management:
- Autogeneration of a default policy following certificate import (customers must definenew policies when creating certificates)
- Support for vault-level access control
- Auditing and notifications
- Support for certificate contacts
- Automatic renewal
Alt text of image

Configure an HSM key-generation solution

  • Primary characteristics of Azure hardware security modules:
    • Comply with Federal Information Processing Standard (FIPS) 140-2 Level 2 security standard
    • Host cryptographic material managed by Azure Key Vault
    • Support cryptographic operations within the HSM boundaries
    • Support secure transfer of existing keys in Bring Your Own Key (BYOK) scenarios
  • Transferring HSM-protected keys:
    • A customer generates a key in their on-premises environment
    • The customer uses a target key vault to generate a nonexportable Key Exchange Key
    • The customer encrypts the key with the Key Exchange Key and binds it to the vault by using an HSM-specific toolset
    • The customer transfers the key into the key vault

Upload a secret
Alt text of image

Configure key rotation

  • A key vault allows you to update keys and secrets without affecting the behavior of your application
  • You can rotate secrets in several ways:
    • As part of a manual process
    • Programmatically by using REST API
    • Through an Azure Automation script

Top comments (0)