Stage 5 · Platform
Storage & Secrets
Azure Key Vault
Secrets, keys, certificates — creating, rotating, and auditing with Key Vault.
What Is Key Vault?
Azure Key Vault is a centralized service for storing and managing secrets, encryption keys, and certificates. It provides hardware security module (HSM) backed protection, access control, and audit logging for sensitive data.
Key Vault stores three types of objects: Secrets (passwords, connection strings, API keys), Keys (RSA, EC, symmetric keys for encryption), and Certificates (X.509 TLS certificates with auto-rotation).
Vault Types
Key Vault offers two pricing tiers. Standard uses software-protected keys. Premium adds HSM-protected keys for compliance requirements like FIPS 140-2 Level 2.
| Tier | Key Protection | Compliance | Cost |
|---|---|---|---|
| Standard | Software | Basic | ~$0.03/op + $0.03/secret/month |
| Premium | HSM (FIPS 140-2 Level 2) | PCI DSS, HIPAA, FedRAMP | ~$1/key/month + HSM ops |
# Create a Standard tier Key Vault
az keyvault create \
--resource-group rg-payments \
--name kv-payments-prod \
--location eastus \
--sku standard \
--enable-rbac-authorization true
# Create a Premium tier Key Vault with HSM
az keyvault create \
--resource-group rg-payments \
--name kv-payments-hsm \
--location eastus \
--sku premium--enable-rbac-authorization true uses Azure RBAC for access control instead of vault access policies. This is the recommended approach for new vaults.
Managing Secrets
Secrets are versioned strings stored in Key Vault. Each set operation creates a new version. You can retrieve the latest version or a specific version by its ID.
# Set a secret
az keyvault secret set \
--vault-name kv-payments-prod \
--name db-password \
--value "SuperSecret123!" \
--tags "Environment=production"
# Retrieve a secret
az keyvault secret show \
--vault-name kv-payments-prod \
--name db-password \
--query value --output tsv
# List all versions of a secret
az keyvault secret list-versions \
--vault-name kv-payments-prod \
--name db-password \
--query "[].{id:id, created:attributes.created}" --output table
# Delete a secret
az keyvault secret delete --vault-name kv-payments-prod --name db-passwordDeleted secrets are soft-deleted and can be recovered within 90 days. Use --purge to permanently delete if purge protection is disabled.
Purge protection prevents permanent deletion of secrets within the retention period. Enable it on production vaults to protect against accidental or malicious permanent deletion.
Managing Keys
Key Vault keys support RSA, EC, and symmetric algorithms. Keys can be software-protected or HSM-protected. They are used for encrypting data at rest, signing tokens, and decrypting secrets.
# Create an RSA key
az keyvault key create \
--vault-name kv-payments-prod \
--name encryption-key \
--kty RSA \
--size 2048
# List keys
az keyvault key list \
--vault-name kv-payments-prod \
--query "[].{name:name, enabled:attributes.enabled}" --output table
# Back up a key
az keyvault key backup \
--vault-name kv-payments-prod \
--name encryption-key \
--file ./key-backup.jsonKey backups are encrypted and cannot be read as plain text. Store backups in a secure, separate location from the vault.
Certificates
Key Vault can create, store, and auto-renew X.509 TLS certificates. It integrates with Certificate Authority (CA) providers for automated certificate lifecycle management.
# Create a self-signed certificate
az keyvault certificate create \
--vault-name kv-payments-prod \
--name tls-wildcard \
--policy '{
"issuerParameters": {"name": "Self"},
"keyProperties": {"keyType": "RSA", "keySize": 2048, "reuseKey": false},
"secretProperties": {"contentType": "application/x-pkcs12"},
"x509CertificateProperties": {
"subject": "CN=*.contoso.com",
"validityInMonths": 12
}
}'
# List certificates
az keyvault certificate list \
--vault-name kv-payments-prod \
--query "[].{name:name, expiry:attributes.expires}" --output tableFor production, use a CA issuer (DigiCert, GlobalSign) instead of self-signed certificates. Key Vault can auto-renew certificates before they expire.
Auditing and Logging
Key Vault logs every operation — secret reads, key operations, certificate renewals. These logs are sent to a Log Analytics workspace for querying and alerting.
# Create a Log Analytics workspace
az monitor log-analytics workspace create \
--resource-group rg-payments \
--workspace-name law-payments
# Enable diagnostics on Key Vault
WORKSPACE_ID=$(az monitor log-analytics workspace show \
--resource-group rg-payments \
--name law-payments \
--query customerId --output tsv)
az monitor diagnostic-settings create \
--resource "/subscriptions/{sub-id}/resourceGroups/rg-payments/providers/Microsoft.KeyVault/vaults/kv-payments-prod" \
--name kv-diagnostics \
--workspace "$WORKSPACE_ID" \
--logs '[{"category":"AuditEvent","enabled":true}]' \
--metrics '[{"category":"AllMetrics","enabled":true}]'AuditEvent logs capture who accessed what, when, and from where. Use these logs for compliance reporting and security investigations.
Azure App Service and Azure Functions support Key Vault references directly in application settings. Use @Microsoft.KeyVault(VaultName=kv-payments-prod;SecretName=db-password) to inject secrets without code changes.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.