Azure Key Vault Developer's Guide

Key Vault allows you to securely access sensitive information from within your applications:

  • Keys and secrets are protected without having to write the code yourself and you are easily able to use them from your applications.
  • You are able to have your customers own and manage their own keys so you can concentrate on providing the core software features. In this way, your applications will not own the responsibility or potential liability for your customers’ tenant keys and secrets.
  • Your application can use keys for signing and encryption yet keeps the key management external from your application, allowing your solution to be suitable as a geographically distributed app.
  • As of the September 2016 release of Key Vault, your applications can now use Key Vault certificates. For more information, see About keys, secrets, and certificates.

For more general information on Azure Key Vault, see What is Key Vault.

Public Preview - May 10, 2017

Note

For this preview version of Azure Key Vault only the soft-delete feature is in preview. Azure Key Vault, as a whole, is a full production service.

This preview includes our new soft-delete feature, recoverable deletion of Key Vaults and Key Vault objects, and updated interfaces for developers; .NET/C#, REST and PowerShell.

For more information on the new soft-delete feature, see Azure Key Vault soft delete overview.

Videos

This video shows you how to create your own key vault and how to use it from the 'Hello Key Vault' sample application.

Resources mentioned in above video:

Creating and Managing Key Vaults

Before working with Azure Key Vault in your code, you can create and manage vaults through REST, Resource Manager Templates, PowerShell or CLI, as described in the following articles:

Note

Operations against key vaults are authenticated through AAD and authorized through Key Vault’s own Access Policy, defined per vault.

Coding with Key Vault

The Key Vault management system for programmers consists of several interfaces, with REST as the foundation. Through the REST interface, all of your key vaults resources are accessible; keys, secrets and certificates. Key Vault REST API Reference.

Supported programming languages

.NET

For more information on the 2.x version of the .NET SDK, see the Release notes.

Java

Node.js

In Node.js, the vault management API and the vault object API are separate. Key Vault Management allows creating and updating your key vault. Key Vault Operations API is for working with vault objects like; keys, secrets and certificates.

Quick start

Code examples

For complete examples using Key Vault with your applications, see:

How-tos

The following articles and scenarios provide task-specific guidance for working with Azure Key Vault:

For more task-specific guidance on integrating and using Key Vaults with Azure, see Ryan Jones' Azure Resource Manager template examples for Key Vault.

Integrated with Key Vault

These articles are about other scenarios and services that use or integrate with Key Vault.

  • Azure Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription, while ensuring that all data in the virtual machine disks are encrypted at rest in your Azure storage.
  • Azure Data Lake Store provides option for encryption of data that is stored in the account. For key management, Data Lake Store provides two modes for managing your master encryption keys (MEKs), which are required for decrypting any data that is stored in the Data Lake Store. You can either let Data Lake Store manage the MEKs for you, or choose to retain ownership of the MEKs using your Azure Key Vault account. You specify the mode of key management while creating a Data Lake Store account.
  • Azure Information Protection allows you to manager your own tenant key. For example, instead of Microsoft managing your tenant key (the default), you can manage your own tenant key to comply with specific regulations that apply to your organization. Managing your own tenant key is also referred to as bring your own key, or BYOK.

Key Vault overviews and concepts

  • Key Vault security worlds and geographic boundaries details how all HSMs at Azure locations in the same geographic region share the same cryptographic boundary (Thales Security World).
  • Key Vault soft-delete behavior describes a feature that allows recovery of deleted objects, whether the deletion was accidental or intentional.

Social

Supporting Libraries

Other Key Vault resources