Key Vault

Key Vault is designed to solve secret, key and certificate management. It supports two types of containers:

• Vaults
  Supports software and HSM-backed keys, secrets and certifcates.
• Managed hardware security module (HSM) pools
  Supported HSM-backed keys only.

Key Vault has two service tiers:

• Standard
  Supports software keys
• Premium
  Additionally supports hardware keys (HSM)

Benefits

• Centralises secrets, keys and certificates
• Secure storage with Entra backed authn and RBAC authz
• Access activity is observable
• Simple, scalable, highly available

Encryption in transit

Key Vault enforced TLS to protect data in transit. TLS provides strong authentication, message privacy and integrity, interoperability, algorithm flexibility and ease of deployment and use.

Perfect Forward Secrecy (PFS) protected connections between client systems and Microsoft cloud services using unique keys. Connections also use RSA-base 2,048-bit keys. This combination makes it difficult to intercept and access data in transit.

Best practice

• Use separate key vaults
  One vault per application/environment is recommended.
• Control access to your vaults
  Only allow authorised personnel to access.
• Recovery
  Soft delete and purge protection to guard against accidental or malicious deletion.
• Backup
• Logging

Authentication

There are three ways to authenticate to Key Vault:

• Managed identity
  This is recommended best practice because Azure manages the Key Vault bootstrap secret.
• Service principal + certificate
  Not recommended. Bootstrap certificate management is manual.
• Service principal + secret
  Not recommended. Bootstrap secret is manual.

It is recommended to use a system-assigned managed identity when authenticating from an application.

There are Azure Identity SDKs available for .NET, Python, Java and JS which can be used to authenticate to Key Vault. You are also able to authenticate with REST.