Azure Key Vault Cheat Sheet

• A service that allows you to store tokens, passwords, certificates, and other secrets.
• You can also create and manage the keys used to encrypt your data.

Features

• Soft delete allows a deleted key vault and its objects to be retrieved during the retention time you designate.
• The retention period of a deleted vault is between 7 to 90 days.
• With soft-delete and purge protection enabled, it will not purge a vault or object in the deleted state until the retention period has expired.
• You may connect to a key vault via
  • A public endpoint in all networks
  • A public endpoint in selected networks
  • A private endpoint

• Share access to your applications and resources without revealing your credentials.
• Automated Key Rotation (GA): You can now configure a rotation policy for encryption keys to schedule their automatic generation and replacement. This is critical for cryptographic hygiene and compliance. (Announced GA in April 2022).
• Azure Policy Integration (GA): Key Vault integrates with Azure Policy to provide governance. You can use built-in policies to audit and enforce compliance for your vaults, keys, secrets, and certificates (e.g., enforce key rotation policies or the use of RBAC). (Announced GA in October 2021).
• Doubled Service Throughput Limits: Service quotas for operations like secret GET and key operations have been increased (e.g., from 2,000 to 4,000 transactions per 10 seconds for common operations), improving performance for high-scale applications. (Announced GA in January 2022).

• Mandatory TLS 1.2+: Azure Key Vault now enforces Transport Layer Security (TLS) version 1.2 or higher for all client connections to enhance security. Older TLS versions are no longer supported. (Enforced since June 2023).

Concepts

• A tenant is a representation of an organization.
  • Azure Active Directory allows you to publish multi-tenant applications.
  • Azure Active Directory (B2C) tenant represents a collection of identities.
• A vault owner enables you to create a key vault and set up an auditing log of who has access to secrets and keys.
• A vault consumer can only perform actions on the assets inside the key vault if the vault owner grants the consumer access.
• A manageable item in Azure is called resource, and resource groups are containers that hold related resources.
• Service principal gives you control over which resources can be accessed. At the same time, a managed identity eliminates the need for you to create and manage service principals directly since it provides Azure services with an automatically managed identity in Azure AD.
• You can identify an Azure AD instance within your Azure subscription using a tenant ID.
• An access policy grants the service principal (user group or application) permissions to perform various operations on Azure Key Vault keys, secrets, and certificates.
  • You can also configure the access policy from a template.
  • With access policy, you can enable access to:
    • Azure Virtual Machines for deployment – this will permit the VMs to retrieve certificates stored as secrets from the key vault.
    • Azure Resource Manager for template deployment – if this option is enabled, the ARM is permitted to retrieve secrets from the key vault.
    • Azure Disk Encryption for volume encryption – grants permission to retrieve secrets from the key vault and unwrap keys.
  • Azure RBAC is now the recommended authorization system for controlling access to keys, secrets, and certificates. Vault access policies remain supported, but new deployments should use Azure RBAC for its fine-grained, centralized management via Azure Resource Manager.” (This recommendation was made official in May 2023).

Azure Key Vault Pricing

• You are charged if the key has been used at least once in the last 30 days (based on the key’s creation date).
• You are charged for each historical version of a key.

Want to learn more about Azure? Watch the official Microsoft Azure YouTube channel’s video series called Azure Tips and Tricks.

Azure Key Vault Cheat Sheet References:

https://docs.microsoft.com/en-us/azure/key-vault/general/overview
https://azure.microsoft.com/en-us/services/key-vault/