Microsoft Azure Key Vault is a cloud-based solution that securely stores data or secrets and allows safe access to such data and secrets. This secret data can be anything the user wishes to control access to, such as passwords, TLS/SSL certificates, API credentials, or cryptographic keys. Key vault services store secrets in containers, and key vault uses two types of containers:
- Vaults: It can store software as well as HSM-backed keys, secrets, and certificates.
- Managed HSM pools: Only HSM-backed keys are supported by this container.
Anyone with access to the Azure subscription can build the Azure Key Vault service, which can then be implemented and managed by the organization's security administrator alongside other services.
The graphic below depicts the Azure Key Vault process.
Vault Owner: The vault owner has full access to and control over the Key vault.
Vault Consumer: Vault owners can offer vault consumers access to execute various tasks depending on the level of access granted. Once vault consumer access is authorized, consumers can create key lifecycles and grant sensitive data access to others as needed. Vault owners can determine what the consumer is doing and whether they are trustworthy based on the audit record.
Secrets: A series of bytes with a maximum size of 10kB that can be allocated to the value. This value could be either a certificate or a password. Consumers can read and store values based on the name and permission granted, and this data is stored in the HSM as a Key-Value pair.
Keys: Consumers can utilize keys to do specific key activities such as signing, encrypting, decrypting, verifying, and so on. Because consumers cannot read value, key vault performs all of these actions. Keys are kept in two formats.
- Software keys: These are less secure and less expensive. This key handles activities using Azure VMs and is used for development and testing situations.
- HSM Keys: These keys are more secure and conduct operations directly on the HSM; however, they are pricey, and users must utilize a Premier-tier vault.
Authentication: Because it connects with Azure Active Directory, Azure key vault is highly secure, with high-grade authentication and permission (AAD). AAD is used to provide a person or application access to a vault.
Users with an Azure subscription and administrative capabilities can log in to Microsoft Azure to construct a vault and store secret data.