Azure Key Vault is a cloud-based cryptographic key management service provided by Microsoft Azure. It enables organizations to securely store, manage, and control access to cryptographic keys, secrets, and certificates used across cloud and hybrid computing environments. The service is designed to meet enterprise security requirements by providing centralized key management with audit logging, access control policies, and compliance support for regulated industries.

Azure Key Vault serves as a dedicated repository for managing cryptographic material and sensitive data. Organizations use the service to store customer-managed keys (CMKs), API keys, passwords, and other secrets required by applications and services. By centralizing key management in a dedicated, hardened vault service, organizations reduce the risk of key exposure, simplify rotation policies, and maintain detailed audit trails of cryptographic operations ¹⁾

The service supports both software-protected and hardware security module (HSM)-backed keys, allowing organizations to choose the protection level appropriate for their security posture. Keys stored in Azure Key Vault can be used for encryption at rest, encryption in transit, and digital signing operations across Azure services and customer applications.

Azure Key Vault integrates with cloud data platforms and services to enable customer-managed key (CMK) encryption. Organizations configure encryption for their workloads by referencing Key Vault URLs that point to their stored cryptographic keys. This approach allows data encryption to remain under customer control rather than relying solely on cloud provider-managed encryption keys ²⁾

For example, data platforms such as Lakebase support Azure Key Vault integration, allowing customers to specify Key Vault URLs when configuring encryption for their data workloads. The encrypted data remains encrypted at rest using the customer's own key material, with the cloud provider unable to decrypt data without explicit customer authorization.

Azure Key Vault enforces granular access control through role-based access control (RBAC) and access policies. Applications and users must authenticate to Azure Key Vault using Azure identities, service principals, or managed identities before gaining permission to retrieve, create, or manage keys. The service supports both RBAC and legacy access policies for backward compatibility ³⁾

Managed identities enable applications running on Azure compute resources to authenticate to Key Vault without storing credentials, reducing the attack surface. Service principals and applications can be granted specific permissions limited to particular keys, secrets, or cryptographic operations, implementing the principle of least privilege.

All operations performed on keys and secrets stored in Azure Key Vault are logged for audit and compliance purposes. Azure Monitor captures detailed logs of key retrieval, creation, deletion, and rotation events, including timestamp information, user identity, and operation results. These logs support compliance requirements, forensic analysis, and security monitoring ⁴⁾

Organizations can configure alerts on Key Vault operations to detect unusual access patterns, unauthorized deletion attempts, or unexpected cryptographic operations. Integration with Azure Sentinel and other security information and event management (SIEM) systems enables centralized security monitoring across hybrid cloud environments.

Azure Key Vault supports cryptographic key lifecycle management, including key creation, rotation, versioning, and scheduled deletion. Organizations can implement key rotation policies to automatically or manually rotate keys on defined schedules, supporting compliance requirements such as those mandated by regulatory frameworks ⁵⁾

The service supports multiple cryptographic algorithms and key sizes, including RSA, EC, and symmetric key types. Key versions are maintained automatically, allowing applications to reference current keys while previous versions remain available for decryption of data encrypted under earlier key material.

• Microsoft Azure
• Azure Database for PostgreSQL
• Google Cloud Key Management Service (Google Cloud KMS)
• Databricks Key Manager Service
• Cryptographic Audit Logging

https://learn.[[microsoft|microsoft]].com/en-us/azure/key-vault/general/logging

https://learn.microsoft.com/en-us/azure/key-vault/keys/key-rotation