Azure Key Vault

Azure Key Vault is a cloud service for securely storing and managing sensitive information — secrets, encryption keys, and certificates. It centralises secret management, reduces the risk of accidental exposure, and integrates deeply with other Azure services and Entra ID.

Why Use Azure Key Vault?

Storing sensitive data in application code, configuration files, or environment variables creates multiple risks:

Exposure — secrets in source code can be leaked through repositories
Sprawl — the same secret duplicated across multiple applications is hard to manage
Rotation — updating a secret requires redeploying every application that uses it
Auditing — there is no central log of who accessed which secret and when

Key Vault solves all of these problems:

Benefit	Description
Centralised storage	All secrets, keys, and certificates in one secure location
Access control	Entra ID authentication and RBAC or access policies
Audit logging	Every access is logged and can be monitored
Automatic rotation	Integration with services that support auto-rotation
Hardware protection	HSM-backed keys for the highest level of security

Key Vault Object Types

Secrets

A secret is any arbitrary string value — connection strings, API keys, passwords, tokens.

# Create a secret
az keyvault secret set --vault-name myKeyVault --name "DatabasePassword" --value "S3cur3P@ssw0rd!"

# Retrieve a secret
az keyvault secret show --vault-name myKeyVault --name "DatabasePassword" --query value -o tsv

Keys

Cryptographic keys used for encryption, decryption, signing, and verification. Key Vault supports:

Key Type	Description
RSA	Asymmetric keys (2048, 3072, 4096 bits)
EC	Elliptic curve keys (P-256, P-384, P-521)
Symmetric	AES keys (managed HSM only)

Keys can be software-protected or HSM-protected (using FIPS 140-2 Level 2 or Level 3 validated hardware).

# Create an RSA key
az keyvault key create --vault-name myKeyVault --name "EncryptionKey" --kty RSA --size 2048

Certificates

Key Vault can manage the full lifecycle of TLS/SSL certificates:

Generate — create a certificate signing request (CSR) and issue a self-signed certificate or integrate with a CA (DigiCert, GlobalSign)
Import — upload an existing PFX or PEM certificate
Renew — automatically renew certificates before they expire
Deploy — integrate with Azure services (App Service, Application Gateway, Front Door)

# Create a self-signed certificate
az keyvault certificate create --vault-name myKeyVault --name "MyCert" \
  --policy "$(az keyvault certificate get-default-policy)"

Access Models

Key Vault supports two access models:

Azure RBAC (Recommended)

Uses standard Azure RBAC roles to control access:

Azure Key Vault

Azure Key Vault

Why Use Azure Key Vault?

Key Vault Object Types

Secrets

Keys

Certificates

Access Models

Azure RBAC (Recommended)

More in Cloud