What is Microsoft Azure Key Vault?
Microsoft Azure Key Vault is a cloud-based service that stores the data or secret securely and can be accessed with that data and secret securely. This secret data can be anything of which the user wants to control access such as passwords, TLS/SSL certificate or API keys, or cryptographic keys. Key vault services store secrets in the containers and there are two types of container used by key vault:
- Vaults: It has support to store software as well as HSM-backed keys along with secrets and certificates.
- Managed HSM pools: This container has support only for HSM-backed keys.
How does Microsoft Azure Key Vault work?
Azure Key Vault service can be created by anyone who has access to the Azure subscription and it can be implemented and managed by the security administrator of the organization along with other services. Below image shows the process of Azure Key vault.
Vault Owner: Vault owner has full access to the Key vault and has control over the vault.
Vault Consumer: vault owners can grant access to the vault consumer so that vault consumer can perform various actions depending on the access granted. Once vault consumer access is enabled then consumers can design key lifecycles and grant access to sensitive data to others if required. Depending on the audit log, vault owners can know what the consumer is doing and are they trustworthy.
Secrets: It is a sequence of bytes with a limit of 10kB which can be assigned to the value. This value can be a certificate or password. Consumers can read and store the values based on name and permission granted and store this data in HSM as a Key-Value pair.
Keys: Consumers can use the keys for particular key operations like a sign, encrypt, decrypt, verify, etc. key vault handles all these operations as consumers can not read value. Keys are stored in two format
- Software Keys: These are cheap and less secure. This key uses Azure VMs to handle operations and used for dev/test scenarios.
- HSM Keys: This are more secure and perform operations directly on HSM and these keys are expensive and users need to use Premier-tier vault.
Authentication: Azure key vault is highly secure with high-grade authentication and authorization as it integrates Azure Active Directory (AAD). AAD is used to grant permission to a person or application to access a vault.
Each account will have a unique account ID and Users with Azure subscription and Admin privileges can log in into Microsoft Azure to create a vault and store secret data.
How to use key vault in Azure?
- Users should have valid username and password.
- Users should have Azure Subscription to create Azure Key Vault
Steps using Azure Portal :
- Create an Azure Key-Vault:
Step 1: Login into the Azure Portal using the below URL:
Step 2: From the Azure portal home page select the +Create a resource.
Step 3: In the Search field of Azure Marketplace search for Key Vault and click on enter to open Key Vault create page:
Step 4: From the Key Vault page select Create:
Step 5: On a Create Key Vault user need to enter the project details:
Step 6: Enter the details of new bastion as below:
- Subscription: Select your subscribed plan from the drop-down list.
- Resource group: Select the resource group in which you want to create a bastion.
- Key Vault Name: Enter the unique name and vault name must be alphanumeric and should not start with a Number.
- Region: Select region/location from down list.
- Pricing Tier: Select Pricing tier from drop-down list.
Step 7: Select Review+Create and then click on create from the page to deploy the workspace:
Check Deployment status on the Page till it move to complete
1. Add a Secret:
Step 1: Go to recently created key-vault in the Azure portal:
Step 2: Now select the Secrets from Settings of the left side section:
Step 3: Now Select General/Import from the top of the Secret page:
Step 4: Create a Secret page is opened fill out the form by entering Name, Value, and content type with activation and expiration date if required:
Step 5: Now click on the Create button from the bottom of the page:
Step 6: Verify that new secret is added to the Vault:
2. Show the Secret:
Step 1: Select newly added secret from the Secret list:
Step 2: Select the current version of the Secret from the list:
Step 3: Now from the page select Show Secret Value:
Step 4: Verify newly added Secret value is correctly shown in the vault:
Uses of Azure Key Vaults
- It can securely store and provide control access to passwords, certificates, token, API keys or other secrets hence has Secret Management.
- It is easy to create and provide control over encrypted keys used to encrypt data.
- It has support to manage and deploy TLS/SSL layer certificates.
- As it is in Azure Cloud, Key vault can be easily integrated with other Azure Services like Azure App Service, Azure Disk Encryption, etc.
- It has centralized storage of application secrets hence it allows users to control distribution.
In conclusion, users can use Azure Key Vault service to store data and also get benefitted from other Azure services as it is easy to integrate. Once users has created Key Vault he/she can start using the Azure to store keys and their values/secrets.
This is a guide to Azure Key Vault. Here we discuss a What is Microsoft Azure Key Vault?, working, uses, and steps to use Azure Key Vault. You can also go through our other related articles to learn more –