Today, Microsoft announced generally availability of the Key Vault cloud security offering which enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services. The key vault lets you keep certificates, shared keys, and passwords in a centrally managed location with revocable access control capabilities.
One the best ways to start leveraging it is to keep separate keys for your dev/test/stage/prod environments and to be able to only grant permissions to the keys needed. Additionally, key’s can be geographically distributed so that they are close to the applications that need them. Finally, the area where I see the largest potential involves multi-tenant SaaS applications. By using the key vault, you can allow tenants in your application to upload their own cryptographic keys so that they are available for use by your application but without direct access to the customer’s keys themselves.
I encourage you to take a look and consider the key vault next time to need to control access to secrets and key’s with an easily accessible programming interface.
New-AzureKeyVault -VaultName ‘MyKeyVault’ -ResourceGroupName $resGrpName -Location ‘East US’
$key = Add-AzureKeyVaultKey -VaultName ‘MyKeyVault’ -Name ‘MyFirstKey’ -KeyFilePath ‘c:\certkey.pfx’ -KeyFilePassword $pfxpwd