Skip to content

Azure Key Vault Best Practices

Introduction

Azure Key Vault is a service that allows you to securely store and manage encryption keys, secrets, certificates, and other sensitive data in the cloud. It can help you protect your data, comply with regulations, and simplify your development process. It can be used to protect data for a variety of applications, including:

  1. Web applications
  2. Mobile applications
  3. Databases
  4. Virtual machines

However, to get the most out of Azure Key Vault, you need to follow some best practices that will ensure your key vaults are secure, reliable, and scalable. In this blog post, we will cover some of the best practices for using Azure Key Vault, based on the official documentation and other sources.



Use separate key vaults

One of the first decisions you need to make when using Azure Key Vault is how to organize your key vaults. A key vault is a logical container that holds your keys, secrets, and certificates. Each key vault has its own access policies, firewall rules, logging settings, and backup options.

A common mistake is to use a single key vault for multiple applications, environments, or regions. This can lead to security risks, performance issues, and management challenges. For example, if you use the same key vault for your development and production environments, you might accidentally expose your production secrets to your developers. Or if you use the same key vault for different regions, you might experience latency or availability problems due to network distance or regional outages.

Therefore, a best practice is to use a separate key vault for each application, environment, and region. This way, you can isolate your secrets and keys according to their purpose and scope. You can also apply different access policies, firewall rules, logging settings, and backup options for each key vault. This will help you reduce the attack surface, improve performance and availability, and simplify management.

For example, if you have an application that runs in three regions (US East, US West, and Europe) and has two environments (development and production), you should create six key vaults: one for each combination of region and environment. This will allow you to store your secrets and keys in the closest region to your application instances, and to enforce different access policies for your development and production environments.



Control access to your key vaults

Another important aspect of using Azure Key Vault is controlling who can access your key vaults and what they can do with them. Azure Key Vault provides two ways to control access:

  • Role-Based Access Control (RBAC)
  • Access policies.





RBAC allows you to assign roles to users, groups, or applications at different scopes: subscription, resource group, or key vault. Each role defines a set of permissions that grant access to certain operations on certain resources. For example, the Key Vault Contributor role allows you to create and manage key vaults and their properties at the subscription or resource group level. The Key Vault Secrets User role allows you to read secrets from a specific key vault.

Access policies allow you to grant permissions to users or applications at the key vault level. Each access policy defines a set of permissions that grant access to certain operations on certain types of objects: keys, secrets, or certificates. For example, you can grant an application permission to encrypt and decrypt data using a specific key in a specific key vault.

You can define a new access policy with set of permissions that grant access to certain operations on certain types of objects: keys, secrets, or certificates. For example, you can grant an application permission to encrypt and decrypt data using a specific key in a specific key vault.






You can even define a new access policy using the available templates.

A best practice is to use RBAC for managing key vaults and their properties (such as name, location, tags), and use access policies for granting access to keys, secrets, or certificates within a key vault. You should also follow the principle of least privilege: only grant the minimum permissions required for each user or application to perform their tasks.

For example, if you have a web application that needs to read a connection string from a key vault secret, you should assign the web application the Key Vault Secrets User role at the key vault level (using RBAC), and grant it permission to read secrets from that key vault (using an access policy). You should not assign the web application any other roles or permissions that are not necessary for its functionality.

Turn on data protection for your key vaults.

Azure Key Vault provides several features that help you protect your data from accidental or malicious deletion: soft-delete, purge protection, and backup/restore.




Soft delete allows you to recover deleted keys, secrets, or certificates within 90 days of deletion. When you delete an object from a key vault, it is not immediately removed, but marked as deleted and moved to a recovery queue. You can restore it from the recovery queue using the Azure portal,

  1. PowerShell,
  2. Azure CLI.

Purge protection prevents permanent deletion of keys, secrets, or certificates even after soft-delete is enabled. When purge protection is enabled, you cannot purge deleted objects from the recovery queue until the retention period (90 days by default) expires. This adds an extra layer of protection against malicious or accidental deletion.

Backup/restore allows you to export and import keys, secrets, or certificates from one key vault to another using PowerShell or CLI. This can be useful for disaster recovery scenarios, such as when a key vault is corrupted or compromised.




A best practice is to turn on soft-delete and purge protection for all your key vaults and enable backup/restore for those key vaults that contain objects that cannot be recreated from other sources, such as encryption keys generated within the key vault.

For example, if you have a key vault that contains a symmetric encryption key that is used to encrypt sensitive data in your application, you should enable soft-delete, purge protection, and backup / restore for that key vault. This way, you can recover the encryption key in case it is deleted by mistake or by an attacker.

How to Enable Purge Protection

You can enable purge protection selecting the properties of key vault

By default, Azure Key Vault includes protections against data loss and mechanisms to always keep your data available. Although its not recommended, only back up secrets if there’s a good business need to do so.






And select download backup. Key vault objects (such as secrets, keys, and certificates) are downloaded during the backup process in an encrypted blob format. This blob is Azure-only and requires Azure to decode. You must restore this blob into a key vault in the same Azure subscription and Azure region for it to be useable again.

Turn on logging for your key vaults.

Azure Key Vault provides logging capabilities that help you monitor and audit the activities performed on your key vaults and their objects.

You can use Azure Monitor Logs to collect and analyse the logs generated by Azure Key Vault. You can also use Azure Monitor Alerts to create alerts based on log events or metrics that indicate potential issues or incidents with your key vaults.






A best practice is to turn on logging for all your key vaults and set up alerts for critical events or anomalies that require your attention.

For example, you can create an alert that notifies you when someone tries to delete or purge a key or secret from your key vault. You can also create an alert that notifies you when the number of requests or failures to your key vault exceeds a certain threshold.






Select the Signal you want to create alert for

Logging and alerting can help you detect and respond to security incidents performance issues, or configuration errors with your key vaults.

Conclusion

Azure Key Vault is a powerful service that can help you secure and manage your encryption keys, secrets, certificates, and other sensitive data in the cloud. However, to get the most out of Azure Key Vault, you need to follow some best practices that will ensure your key vaults are secure, reliable, and scalable.

In this blog post, we covered some of the best practices for using Azure Key Vault, such as:

  • Use separate key vaults for each application, environment, and region.
  • Control access to your key vaults using RBAC and access policies.
  • Turn on data protection features such as soft-delete, purge protection, and backup/restore.
  • Turn on logging for your key vaults and set up alerts for critical events or anomalies.





I hope this blog post was helpful and informative. If you have any questions or feedback, please leave a comment below.