Skip to content

Azure Key Vault

Overview

Azure Key Vault is a cloud-based secrets management service that allows you to securely store and control access to:

  • Secrets (e.g., passwords, connection strings, API keys)
  • Keys (for encryption/signing, including HSM-backed keys)
  • Certificates (TLS/SSL certs)
  • Managed identities (used to access Key Vault securely)

It acts as a centralised, secure store for sensitive information, and integrates tightly with other Azure services and your own applications.

Key Features

  • Secrets Management – Store and retrieve sensitive config like DB connection strings.
  • Key Management – Generate, store, rotate cryptographic keys (RSA, EC) for encryption or digital signing.
  • Certificate Management – Store and auto-renew SSL/TLS certificates from supported CAs.
  • Access Policies / RBAC – Fine-grained access control via Azure AD.
  • Audit Logging – Tracks who accessed what, when, and how.

Advantages

  • Centralized security – Avoid hardcoding secrets in config files or code.
  • Integration with Azure services – Use Key Vault secrets in App Service, Azure Functions, etc.
  • Supports automated key rotation – Improve security posture with minimal effort.
  • Managed identity access – Applications can authenticate to Key Vault without secrets.
  • High durability & availability – Backed by Azure’s global infrastructure.

Drawbacks / Considerations

  • Latency – Accessing secrets at runtime introduces some overhead (can be mitigated via caching).
  • Complexity – Access control (RBAC vs Access Policies) can confuse teams.
  • Cost – Costs are low but non-zero; Premium tier (for HSM keys) adds up.
  • Limits – There are per-vault limits on throughput (e.g., \~2000 operations per 10 seconds).

Example: Retrieving a Secret in C#

Using the Azure SDK:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var kvUri = "https://my-keyvault.vault.azure.net/";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

KeyVaultSecret secret = await client.GetSecretAsync("MyDbPassword");
string password = secret.Value;

This uses DefaultAzureCredential, which supports managed identities, Visual Studio sign-in, and more — no secrets hardcoded.

Common Use Cases

  • Securely store API keys, passwords, and connection strings
  • Manage encryption keys for data at rest (e.g. in SQL, Blob Storage)
  • Use HSM-backed keys for signing or encrypting sensitive data
  • Secure storage and auto-renewal of TLS certificates
  • Enable zero trust patterns (no sensitive config in code or pipelines)

Integration Examples

  • App Service / Azure Functions: Reference secrets in app settings using @Microsoft.KeyVault(...)
  • Azure DevOps: Use Key Vault secrets as pipeline variables
  • Azure Disk Encryption / SQL TDE: Store encryption keys in Key Vault

Conceptual Model

Think of Key Vault as your cloud safe:

  • You drop in keys, passwords, or certs
  • You define who can open which drawer, using Azure AD roles or access policies
  • Azure handles the auditing, security, rotation, and resilience

Security Best Practices

  • Use Managed Identity for apps to access the vault without needing credentials
  • Enable soft delete and purge protection to prevent accidental or malicious deletion
  • Set secret expiration and key rotation policies
  • Restrict access via Private Endpoints or Firewall rules

Further Reading