Azure Key Vault Flashcards
Accessing Azure Key Vault
Management Plane: Azure portal, RBAC, create and delete vaults, configure vault properties, manage access policies
Data Plane: certificate, key, and secret values, cryptographic actions and operations, RBAC or key vault access policies
Azure Key Vault Standard is:
a software-based HSM; Azure Key Vault preimum is a hardware-backed cloud HSM
Key Vault needs to be in the same subscription and region as the VM connecting to it!
Key Vault needs to be in the same subscription and region as the VM connecting to it!
Soft-delete
will allow recovery of accidentally deleted key vault items (or the Key Vault itself) for 90 days. this is auto enabled at key vault creation.
Purge protection
required soft delete to be enabled. Prevents purging of soft deleted items
To automate Key rotations you have to:
Write a custom function that can first create a new key in the key vault and then update the SQL password. Sinc ehte old password would not yet have expired, apps that use SQL server as the data source would still function as long as they have the password cached. Once the password is rotated, the apps would retrive the new password from the key vault
Azure Key Vault are:
Automatically replicated to an Azure paired region. Paired regions are not configurable, that is Azure determines which regions are paired.
Paired regions are within the same security role. You can only back up a key vault to another location within the same security world
Linked template
In some scenarios, you need to reference a key vault secret that varies based on the current deployment. Or, you may want to pass parameters values to the template rather than create a reference parameters in a parameter file. In either case, you can dynamically generate the resource ID for a key
a Parameter file
used to send input parameters to ARM templates
We can recover only these from Azure Key Vaults:
Secrets, keys and certificates
