Securing resources using passwords, keys, credentials, certificates, and unique identifiers are an important element for any environment and application. They are important elements from the security perspective. They need to be protected, and to ensure that these resources remain secure and do not get compromised is an important pillar of security architecture. Management and operations that keep the secrets and keys secure, while making them available when needed, is an important aspect that cannot be ignored. Typically, these secrets are used all over the place—within the source code, configuration file, pieces of paper, and in other digital formats. To overcome these challenges and store all secrets uniformly in a centralized secure storage, Azure Key Vaults should be created.
Azure Key Vault is well integrated with other Azure services. For example, using a certificate stored in Azure Key Vault and deploying it on Azure virtual machines certificate store can be easily performed. All kinds of keys, including storage keys, IoT and event keys, and connection strings, can be stored as secrets in Azure Key Vault. They can be retrieved and used transparently without anyone viewing them or storing them temporarily anywhere. Credentials for SQL Server and other services can also be stored in Azure Key Vault.
Azure Key Vault works on a per-region basis. What this means is that an Azure Key Vault resource should be provisioned at the same region where the application and service is deployed. If a deployment consists of more than one region and needs services from Azure Key Vault, multiple Azure Key Vault instances should be provisioned.
An important feature of Azure Key Vault is that the secrets, keys, and certificates are not stored on general storage. This sensitive data is backed up by the Hardware security module. This means that this data are stored in separate hardware on Azure that can only be unlocked by keys owned by users.