Azure Key Vault can store sensitive data such as passwords and make them available when scripts and Azure Resource Manager (ARM) templates call them out for everyday tasks.

As a central key management service, a Key Vault has the following capabilities:

  • Storing secure strings called secrets, such as passwords
  • Encrypting virtual machine (VM) disks using Key Vault keys
  • Storing certificates with their private keys
  • Generating self-signed certificates
  • Managing storage account access keys

Users or applications access keys and secrets stored in a Key Vault. Administrators and developers constantly use Key Vault secrets to access Azure services such as VMs, storage accounts, and databases. Thus, they don't have to place VM passwords or storage account keys directly in codes or templates. Instead, they connect to a Key Vault first to obtain keys and secrets, and then connect to resources using these keys and secrets to get authenticated.

There are basically three elements used in Key Vaults: keys, secrets, and certificates. Keys are the elements mostly used for encryption while secrets consist of authentication keys, passwords, and storage account keys. You can also store certificates in Key Vaults for many different purposes, such as encryption, authentication, and authorization.

Listing Key Vaults with details

The following commands can list existing Key Vaults in detail:

Get-AzureRmKeyVault -VaultName devopskeyvault1 -ResourceGroupName "DevOpsTools"

Listing Key Vaults

Listing Key Vaults

You may have noticed each Key Vault has access policies. These allow administrators to define delegations flexibly over keys, certificates, secrets, and managed storage. Access policies apply to principals, such as user and applications. Different users can have different permissions for the same Key Vault. Basically, one permission can manage keys while the other can manage certificates in a particular Key Vault.

Creating a new Key Vault

Each Key Vault in Azure must have a unique name across the internet. That's because Azure assigns Key Vaults unique Uniform Resource Identifiers (URIs) based on the name specified upon creation. Therefore, Azure will use that Key Vault name as the prefix in the domain.

The following command creates a new Key Vault:

New-AzureRmKeyVault -VaultName UniqueKeyVaultName1 -ResourceGroupName "DevOpsTools" ‑Location "West Europe"
Creating a new Key Vault

Creating a new Key Vault

After creating a Key Vault, you can then manage secrets, keys, and certificates for various tasks.

Managing secrets

You can create a new secret with these commands:

$secretvalue="secret value" | ConvertTo-SecureString -AsPlainText -Force
Set-AzureKeyVaultSecret -VaultName "UniqueKeyVaultName1" -Name Secret1 -SecretValue $secretvalue

Creating a new secret

Creating a new secret

You can now use this secret as a secure string (such as a password) by calling it directly from the Key Vault instead of having to specify it in a script as plain text. This is pretty useful, especially for storing administrator credentials securely.

To get the secret value text back from the Key Vault, use the following:

(Get-AzureKeyVaultSecret -VaultName "UniqueKeyVaultName1" -Name Secret1).secretvaluetext
Getting secret value in plain text

Getting secret value in plain text

Managing keys

You can use the following commands to create a new Key Vault key (RSA key). There are two options here: software keys and hardware Keys. If you want to use your organization's own HSM-protected keys, you need to use the Hardware value as the Destination.

Add-AzureKeyVaultKey -VaultName "UniqueKeyVaultName1" -Name Key1 -Destination Software
Creating a new Key Vault key

Creating a new Key Vault key

You can now use this key for the following operations:

Get-AzureKeyVaultKey -VaultName "UniqueKeyVaultName1" -Name Key1 | select ‑ExpandProperty Attributes | select -ExpandProperty keyops
Getting key operations

Getting key operations

Managing certificates

To create a new self-signed certificate in Azure, you can use the following:

$certpolicy = New-AzureKeyVaultCertificatePolicy -SubjectName "" ‑IssuerName Self -ValidityInMonths 12
Add-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name Cert1 ‑CertificatePolicy  $certpolicy

Note that it may take some time for the certificate to appear in Azure portal.

Creating a new self signed certificate in a Key Vault

Creating a new self signed certificate in a Key Vault

After a couple of minutes, you can get the details with the following command:

Get-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name Cert1
Getting the certificate details

Getting the certificate details

And with the following command, you can import an existing .PFX file into Azure:

$PfxPassword = ConvertTo-SecureString -String "password" -AsPlainText -Force
Import-AzureKeyVaultCertificate -VaultName "UniqueKeyVaultName1" -Name "Cert2" ‑FilePath "C:\temp\cert.pfx" -Password $PfxPassword
Importing an existing .PFX certificate into a Key Vault

Importing an existing .PFX certificate into a Key Vault

When importing a certificate into Azure, the certificate key becomes a Managed Key. It then appears under both the Keys and Certificates sections.

The below are the most used scenarios

Subscribe to 4sysops newsletter!

  • Referencing to Key Vaults from ARM templates to get keys, secrets and certificates
  • Calling out passwords from PowerShell scripts
  • Storing Base64 data of a certificate as secret in a Key vault
  • Encrypting a Virtual Machine with an Azure-managed key

We’ve had a quick look at the Key Vault fundamentals. Indeed, many more combinations are possible with Key Vaults in Azure environments.

  1. Avatar
    sandeepH 5 years ago

    Thanks for the Article,

    Is there we have any article to encryption of ADLS with Key Vault ?

  2. Avatar

    Thanks for the article,

    Is there any article for encryption of ADLS with Key vault ?


  3. Avatar
    Leila Chinaveh 5 years ago


    is there any way to check the availability of vault key name in PowerShell like the same command we have for storage account name?

  4. Avatar Author

    Hi Leila,

    You can use the following code to check KeyVault Name availability on Azure.

    Please ensure you’ve filled the first section of the code

    ## change here ##



    ### do not make any changes here ###

    $result=Invoke-RestMethod -Uri$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{“grant_type” = “client_credentials”; “resource” = “”; “client_id” = “$APPID”; “client_secret” = “$PASSWORD” }

    $Body = @{

    “name”= $NameToCheck
    “type”= “Microsoft.KeyVault/vaults”

    ‘authorization’=”Bearer $token”

    $Uri = “$subscriptionId/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2018-02-14”

    Invoke-RestMethod -Uri $uri -Headers $Headers -Method POST -Body $body


  5. Avatar Author

    Hi Sandeep,

    you can use the following code

    $Key = Add-AzureKeyVaultKey -Destination Software -Name “keyname” -VaultName “keyvaultname”
    $KeyId = $Key.Version.ToString()
    New-AzureRmResourceGroupDeployment -ResourceGroupName “resourcegroupname” -TemplateFile “armtemplate.json” -DataLakeStoreName “ADLSName” -KeyVaultName “keyvaultname” -DataLakeStoreKeyVaultKeyName $key -DataLakeStoreKeyVaultKeyVersion $KeyId
    $ADSLACC = Get-AzureRmDataLakeStoreAccount -Name “ADSLName”
    $ADSLACCSPNID = $ADSLACC.Identity.PrincipalId
    Set-AzureRmKeyVaultAccessPolicy -VaultName “keyvaultname” -ObjectId $ADSLACCSPNID -PermissionsToKeys encrypt,decrypt,get -BypassObjectIdValidation
    Enable-AdlStoreKeyVault -Account $ADSLACC.Name

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account