A secure container
Container is a collection of keys and protected data (secrets)
az keyvault create --resourcegroup whatever --name uniquename
New-AzKeyVault for powershell
The main thing Apps dont access keys directly, they call methods on the keyvault service Keys can be single instance or versioned
Hardware security module - physical computing device that safeguards and manages digital keys
Generated with RSA and ECC algs. Stored at rest. Can monitor.
For production use, it's recommended to use HSM-protected keys and use software-protected keys in only test/pilot scenarios. There is an additional charge for HSM-backed keys per-month if the key is used in that month. The summary page has a link to the pricing details for Azure Key Vault.
Small (<10k) blobs - pfx files, connection strings, app settings, etc
Secrets management
Key Management
Certificate management
Use it for configuration secrets, not for application data.
Use RBAC to allow people access to manage. Control what users are allowed to access Store certs in vault Enable soft delete and purge protection.
Uses Azure AD.
No support for anon.
Uses RBAC. Key Vault Contributor access to management features , but no access to data. Contributor full administration rights Can use the portal or CLI/REST to create policies
Choose which networks can connect to your key vault.
Get-AzKeyVault
Get-AzKeyVaultSecret -VaultName 'MyVault' -Name 'SecretName'
Azure Key Vault manages X.509 based certificates that can come from several sources. Connect your key vault top a trusted issuer Key Vault will manage cert, will renew if it needs to
Settings > TLS/SSL > Private Key Cert > Import Key Vault Cert