Azure Key Vault

Question 1

2 Tiers

Answer 1

• Standard (SW Abstraction)

- Premium (Multi-tenant HSM )

Question 2

Standard Tier of Azure Key Vault

L1

Answer 2

Software Abstraction
Thales N-Shield Hardware
FIPS-140-2 Level 1

Question 3

Premium Tier of Azure Key Vault

L2

Answer 3

Multi-tenant HSM / Shared HSM
Secrets/keys/certificates > HSM
FIPS 140-2 Level 2
Isolated by RBAC

Question 4

Dedicated HSM

Level 3

Answer 4

FIPS-104 Level 3 or CC EAL 4+
Direct control of HSM
Safenet Luna HSM 7
Low Latency
MS Connects HSM to VNET and power it up
Client controls and manages entire life cycle

Question 5

Azure Key Vault contains

Answer 5

• Keys
• Secrets
• Certificates & Meta Data

Question 6

How is Azure Key Vault accessed ?

Answer 6

Azure Key Vault API

Question 7

Steps for App to access AKV resources ?

Answer 7

1. App. is registered to AAD
2. App. gets Client ID and Authn. Key from AAD
3. App. submits CID & AK to AAD
4. App. gets back the TOKEN from AAD

To Access AKV from App.

5. App. sends Token to AKV
6. AKV uses OpenID to AAD to authenticate the App.
7. AKV provides access to Application

Question 8

AKV > KEYS

Answer 8

Stays within Azure Key Vault
Generated by Key Vault
Crypto material imported to AKV

Authorized Cloud Services - requests - AKV to perform operations using KEY

Operations

• Create
• Import
• Get
• List
• Backup
• Restore
• Delete
• Update
• Sign
• Verify
• Encrypt
• Decrypt

Question 9

Azure > Secret

Used for

Operations

Answer 9

• Small Data Blobs - 10 KB
• Leaves AKV Boundaries

Used for

• Connection Strings
• Account Keys
• Password for PFX

Operations

• Create
• Update
• Get
• List
• Delete

Question 10

AKV Auditor - What does they do ?

Answer 10

Monitor Key Vault Logs
Review usage logs to confirm proper key usage
Compliance adherence for data security standards

Question 11

AKV Configuration

Answer 11

Name: 
Location:
Vault URI :  name-kv.vault.azure.net
SKU : Standard/Premium
Directory ID: 
Directory Name
Soft Delete
Purge Protection

Question 12

AKV -Certificates

Answer 12

Operations

• Create
• Update
• Policing
• Import
• Renewal
• Update

Question 13

AKV Lifetime - Owner operations

Answer 13

Create Key
Import/create Master Key
Authorize - Authorize applications and users for specific operations
Setup ACL
Registers with AD 
Create Service Principal
Enable Usage Log

Question 14

AKV Lifetime - Key Secret/owner operations

Answer 14

Adds Secrets/Keys to Key Vault

Question 15

AKV Lifetime - App Owner/Service Principal

Answer 15

Uses secrets and Keys in KEY VAULT

Authenticate with AD and obtain Token

Question 16

Use case for AKV

Answer 16

VM Deployment
ARM Template deployment
Disk Volume Encryption

Question 17

AKV URL

Answer 17

https://{VAULT NAME}.vault.azure.net
/{object-type}/{object-name}/object-version

Keys
- Key Version

Secrets
- Secret versions

Question 18

Managed HSM URL

Answer 18

https://{hsm-name}/managedhsm.azure.net

Question 19

What and how it uses HSM

Answer 19

Sharepoint Online- Cust Key
CA - Certificates
Storage Accounts (S3) - API keys / SA Access keys
SQL - Password/TDE Encryption
VM - Bitlocker Encryption Key / Admin Password
IAP - AP Encryption Key
Exchange - Customer Keys

Question 20

AKV Best Practices

Answer 20

User managed identities
Designate KV for different environments - Prod/Staging/UAT
Turn on “Soft Delete”

Question 21

ARM template and AKV

Answer 21

ARM Template (JSON Parameter File) references “Secret” in AKV

AKV Configuration
“ enableForTemplateDe[ployment” : Enabled