As a central key management service, a Key Vault has the following capabilities:
- Storing secure strings called secrets, such as passwords
- Encrypting virtual machine (VM) disks using Key Vault keys
- Storing certificates with their private keys
- Generating self-signed certificates
- Managing storage account access keys
Users or applications access keys and secrets stored in a Key Vault. Administrators and developers constantly use Key Vault secrets to access Azure services such as VMs, storage accounts, and databases. Thus, they don't have to place VM passwords or storage account keys directly in codes or templates. Instead, they connect to a Key Vault first to obtain keys and secrets, and then connect to resources using these keys and secrets to get authenticated.
There are basically three elements used in Key Vaults: keys, secrets, and certificates. Keys are the elements mostly used for encryption while secrets consist of authentication keys, passwords, and storage account keys. You can also store certificates in Key Vaults for many different purposes, such as encryption, authentication, and authorization.
Listing Key Vaults with details ^
The following commands can list existing Key Vaults in detail:
Get-AzureRmKeyVault -VaultName devopskeyvault1 -ResourceGroupName "DevOpsTools"
You may have noticed each Key Vault has access policies. These allow administrators to define delegations flexibly over keys, certificates, secrets, and managed storage. Access policies apply to principals, such as user and applications. Different users can have different permissions for the same Key Vault. Basically, one permission can manage keys while the other can manage certificates in a particular Key Vault.
Creating a new Key Vault ^
Each Key Vault in Azure must have a unique name across the internet. That's because Azure assigns Key Vaults unique Uniform Resource Identifiers (URIs) based on the name specified upon creation. Therefore, Azure will use that Key Vault name as the prefix in the vault.azure.net domain.
The following command creates a new Key Vault:
New-AzureRmKeyVault -VaultName UniqueKeyVaultName1 -ResourceGroupName "DevOpsTools" ‑Location "West Europe"
After creating a Key Vault, you can then manage secrets, keys, and certificates for various tasks.
Managing secrets ^
You can create a new secret with these commands:
$secretvalue="secret value" | ConvertTo-SecureString -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName "UniqueKeyVaultName1" -Name Secret1 -SecretValue $secretvalue
You can now use this secret as a secure string (such as a password) by calling it directly from the Key Vault instead of having to specify it in a script as plain text. This is pretty useful, especially for storing administrator credentials securely.
To get the secret value text back from the Key Vault, use the following:
(Get-AzureKeyVaultSecret -VaultName "UniqueKeyVaultName1" -Name Secret1).secretvaluetext
Managing keys ^
You can use the following commands to create a new Key Vault key (RSA key). There are two options here: software keys and hardware Keys. If you want to use your organization's own HSM-protected keys, you need to use the Hardware value as the Destination.
Add-AzureKeyVaultKey -VaultName "UniqueKeyVaultName1" -Name Key1 -Destination Software
You can now use this key for the following operations:
Get-AzureKeyVaultKey -VaultName "UniqueKeyVaultName1" -Name Key1 | select ‑ExpandProperty Attributes | select -ExpandProperty keyops
Managing certificates ^
To create a new self-signed certificate in Azure, you can use the following:
$certpolicy = New-AzureKeyVaultCertificatePolicy -SubjectName "CN=www.bakionur.com" ‑IssuerName Self -ValidityInMonths 12
Add-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name Cert1 ‑CertificatePolicy $certpolicy
Note that it may take some time for the certificate to appear in Azure portal.
After a couple of minutes, you can get the details with the following command:
Get-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name Cert1
And with the following command, you can import an existing .PFX file into Azure:
$PfxPassword = ConvertTo-SecureString -String "password" -AsPlainText -Force
Import-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name "Cert2" ‑FilePath "C:\temp\cert.pfx" -Password $PfxPassword
When importing a certificate into Azure, the certificate key becomes a Managed Key. It then appears under both the Keys and Certificates sections.
The below are the most used scenarios
- Referencing to Key Vaults from ARM templates to get keys, secrets and certificates
- Calling out passwords from PowerShell scripts
- Storing Base64 data of a certificate as secret in a Key vault
- Encrypting a Virtual Machine with an Azure-managed key
We’ve had a quick look at the Key Vault fundamentals. Indeed, many more combinations are possible with Key Vaults in Azure environments.