Azure Key Vault Developer's Guide

Key Vault allows you to securely access sensitive information from within your applications:

  • Keys and secrets are protected without having to write the code yourself and you are easily able to use them from your applications.
  • You are able to have your customers own and manage their own keys so you can concentrate on providing the core software features. In this way, your applications will not own the responsibility or potential liability for your customers' tenant keys and secrets.
  • Your application can use keys for signing and encryption yet keeps the key management external from your application, allowing your solution to be suitable as a geographically distributed app.
  • Manage Key Vault certificates. For more information, see Certificates

For more general information on Azure Key Vault, see What is Key Vault).

Public Previews

Periodically, we release a public preview of a new Key Vault feature. Try out these and let us know what you think via, our feedback email address.

Creating and Managing Key Vaults

Azure Key Vault provides a way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault to retrieve them. Managed identities for Azure resources makes solving this problem simpler by giving Azure services an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without having any credentials in your code.

For more information on managed identities for Azure resources, see the managed identities overview. For more information on working with Azure AD, see Integrating applications with Azure Active Directory.

Before working with keys, secrets or certificates in your key vault, you'll create and manage your key vault through CLI, PowerShell, Resource Manager Templates or REST, as described in the following articles:

Set and retrieve secrets

Set and retrieve keys

Set and retrieve certificates

Coding with Key Vault

The Key Vault management system for programmers consists of several interfaces. This section contains links to all of the languages as well as some code examples.

Supported programming and scripting languages


All of your Key Vault resources are accessible through the REST interface; vaults, keys, secrets, etc.

Key Vault REST API Reference.


.NET API reference for Key Vault.


Java SDK for Key Vault


In Node.js, the Key Vault management API and the Key Vault object API are separate. The following overview article gives you access to both.

Azure Key Vault modules for Node.js


Azure Key Vault libraries for Python

Azure CLI

Azure CLI for Key Vault

Azure PowerShell

Azure PowerShell for Key Vault

Code examples

For complete examples using Key Vault with your applications, see:


The following articles and scenarios provide task-specific guidance for working with Azure Key Vault:

Integrated with Key Vault

These articles are about other scenarios and services that use or integrate with Key Vault.

  • Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.
  • Azure Data Lake Store provides option for encryption of data that is stored in the account. For key management, Data Lake Store provides two modes for managing your master encryption keys (MEKs), which are required for decrypting any data that is stored in the Data Lake Store. You can either let Data Lake Store manage the MEKs for you, or choose to retain ownership of the MEKs using your Azure Key Vault account. You specify the mode of key management while creating a Data Lake Store account.
  • Azure Information Protection allows you to manager your own tenant key. For example, instead of Microsoft managing your tenant key (the default), you can manage your own tenant key to comply with specific regulations that apply to your organization. Managing your own tenant key is also referred to as bring your own key, or BYOK.

Key Vault overviews and concepts


Supporting Libraries