Microsoft has announced the preview of a new service – Azure Key Vault. Key Vault is a service specifically for storing cryptographic keys and managing other secrets to be used with other cloud services.
Secure key management is essential to protecting data in the cloud. With Key Vault, you can encrypt keys and small secrets like passwords with keys stored Hardware Security Modules (HSMs). For added assurance, import or generate your keys in HSMs certified to FIPS 140-2 level 2 and Common Criteria EAL4+ standards – so that your keys stay within the HSM boundary. Key Vault is designed so that Microsoft does not see or extract your keys. Monitor and audit key use with Azure logging – pipe logs into HDInsight or your SIEM for additional analysis and threat detection (coming soon).
The key message here is that you create keys offsite which means Microsoft never sees your private keys. The key vault takes your already created keys, allows you to upload them into a secure container and then delegate permissions to other third party applications. Currently, only Asymmetric keys are supported but Elliptic Curve and Symmetric keys will be supported in the future.
Where would we use such a service?
- Storage of service account passwords used within custom LOB applications
- Storage of user account passwords used within custom LOB applications
- Storage of keys used to encrypt files or SQL Server databases
- Storage of keys used to encrypt VM images
In addition, the Key Vault architecture supports SAAS vendors who want to enable their customers to upload their own keys without the SAAS vendor being able to access them.