Key Vault
Definition
Azure service for securely storing and managing sensitive information like passwords, certificates, and encryption keys.
Use Cases
- Microsoft: Protecting application secrets and encryption keys for Azure-hosted services and internal applications — Uses Azure Key Vault to store certificates, secrets, and cryptographic keys; applications and services retrieve them at runtime using Azure Active Directory (Microsoft Entra ID) identities and role-based access control, avoiding hard-coded credentials. (Reduced risk of credential leakage, centralized auditing of secret access, and simplified certificate/key rotation across services.)
- Adobe: Managing encryption keys and secrets for cloud applications running on Microsoft Azure — Uses Azure Key Vault for centralized storage of sensitive configuration values and cryptographic keys, integrating with Azure identity controls so workloads can securely fetch secrets without embedding them in code or images. (Improved security posture through centralized secret governance and easier operational management of key/secret rotation.)
Provider Equivalents
- AWS: AWS Secrets Manager (secrets) + AWS Key Management Service (KMS) (keys)
- Azure: Azure Key Vault
- GCP: Secret Manager (secrets) + Cloud Key Management Service (Cloud KMS) (keys)
- OCI: OCI Vault
Frequently Asked Questions
- What's the difference between Azure Key Vault and Azure App Configuration?
- Azure App Configuration stores non-sensitive app settings and feature flags (like UI toggles or endpoint URLs). Azure Key Vault is for sensitive data such as passwords, API keys, certificates, and encryption keys. A common pattern is to keep normal settings in App Configuration and store only secrets in Key Vault, referencing them from your app.
- When should I use Azure Key Vault?
- Use Key Vault when you need to store or use sensitive values securely (database passwords, API tokens), manage TLS/SSL certificates, or control cryptographic keys for encryption/signing. It’s especially useful when multiple apps/environments need the same secrets, when you want auditing and access policies, or when you need rotation without redeploying code.
- How much does Azure Key Vault cost?
- Cost depends on the Key Vault tier (Standard vs Premium), the number of operations (reads/writes, cryptographic operations), and features used. Premium is typically required for hardware-backed keys (HSM). You’ll also pay for certificate-related operations if you manage certificates through the service. For accurate pricing, estimate based on expected monthly operations and whether you need HSM-backed keys.
Category: security
Difficulty: intermediate
Related Terms
See Also