Best practices for using Azure Key Vault

Azure Key Vault safeguards encryption keys and secrets like certificates, connection strings, and passwords. This article helps you optimize your use of key vaults.

Use separate key vaults

Our recommendation is to use a vault per application per environment (development, pre-production, and production), per region. This helps you not share secrets across environments and regions. It will also reduce the threat in case of a breach.

Why we recommend separate key vaults

Key vaults define security boundaries for stored secrets. Grouping secrets into the same vault increases the blast radius of a security event because attacks might be able to access secrets across concerns. To mitigate access across concerns, consider what secrets a specific application should have access to, and then separate your key vaults based on this delineation. Separating key vaults by application is the most common boundary. Security boundaries, however, can be more granular for large applications, for example, per group of related services.

Control access to your vault

Encryption keys and secrets like certificates, connection strings, and passwords are sensitive and business critical. You need to secure access to your key vaults by allowing only authorized applications and users. Azure Key Vault security features provides an overview of the Key Vault access model. It explains authentication and authorization. It also describes how to secure access to your key vaults.

Suggestions for controlling access to your vault are as follows:

  • Lock down access to your subscription, resource group, and key vaults (role-based access control (RBAC)).
  • Create access policies for every vault.
  • Use the principle of least privilege access to grant access.
  • Turn on firewall and virtual network service endpoints.

Backup

Make sure you take regular backups of your vault. Backups should be performed when you update, delete, or create objects in your vault.

Azure PowerShell backup commands

Azure CLI backup commands

Turn on logging

Turn on logging for your vault. Also, set up alerts.

Turn on recovery options

  • Turn on soft-delete.
  • Turn on purge protection if you want to guard against force deletion of the secrets and key vault even after soft-delete is turned on.

Learn more