![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 93%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,180 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Moyer, Todd,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you have a question to know the reason:
Why the "key" that is wrapping the original key is stored as a key vault secret, and not a key.
Solution
I have done extensive research on Client-Side Encryption (CSE) and Client-Side Key Encryption (CSKE) in past. So, in the blob_samples_client_side_encryption_keyvault.py example, the "key" that wraps the original key is stored as a Key Vault secret rather than a key, because it's a design choice which is intentional and has some advantages such as:
- Security Isolation
- Key Rotation
- Granular Access Control
- Integration with Managed Identities
Therefore, storing the wrapping key as a secret in Key Vault provides a more secure, manageable, and flexible approach for client-side encryption.
References
For more information and reading, kindly use the additional resources available by the right side of this page.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam