How to encrypt secrets stored in key vault using customer managed keys

Question

How to encrypt secrets stored in key vault using customer managed keys

Kaavyan Raghavan 20

Is there any way to encrypt the secrets stored in the Azure key vault by customer-managed keys?

I want to store my secrets in the key vault but I don't want to use the default key for encryption. Can I use my own keys to encrypt the secrets? Kindly help.

Accepted answer

1 additional answer

Your answer

Answer 1

Akshay-MSFT 17,951 Microsoft Employee Moderator

@Kaavyan Raghavan

Thank you for posting your query on Microsoft Q&A. From above statement I concluded that you want to store and encrypt secrets in Azure Key Vault with your own keys.

Please do correct me if this is not the case.

At this point in time we could use customer managed keys for encryption only for storage blobs.

For Azure Key vault secrets as per Encryption docs:

All secrets in your Key Vault are stored encrypted. Key Vault encrypts secrets at rest with a hierarchy of encryption keys, with all keys in that hierarchy are protected by modules that are FIPS 140-2 compliant. This encryption is transparent, and requires no action from the user. The Azure Key Vault service encrypts your secrets when you add them, and decrypts them automatically when you read them. The encryption leaf key of the key hierarchy is unique to each key vault. The encryption root key of the key hierarchy is unique to the security world, and its protection level varies between regions:

China: root key is protected by a module that is validated for FIPS 140-2 Level 1.

Other regions: root key is protected by a module that is validated for FIPS 140-2 Level 2 or higher.

However if this is impacting your business requirements, I recommend you to post your idea on our feedback portal and let me know so that I could also vote for it.

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

Kaavyan Raghavan 20 Reputation points

2023-08-07T14:32:52.76+00:00

So currently I can't encrypt my secrets with my own keys (both residing in the same key vault).

Also, is there any way for us to identify the customer managed keys and azure managed keys? like in AWS all AWS managed keys will start with a prefix "AWS-", is there anything similar?
Kaavyan Raghavan 20 Reputation points

2023-08-07T15:45:14.85+00:00

So currently there is no way to encrypt my secrets with my own keys (both residing in key vault). Am I right? Is there anything else we can do if we don't want to use Azure key vault's standard secret encryption and use customer managed keys? Does BYOK helps in this scenario, if we have on-prem keys? Also how does azure distinguish between azure managed keys and customer managed keys? Like in AWS, all AWS managed keys will have a prefix AWS. Is there anything similar to that?
Kaavyan Raghavan 20 Reputation points

2023-08-11T17:04:55.34+00:00

@Akshay Kaushik - Would it be okay if we could connect?
Akshay-MSFT 17,951 Reputation points Microsoft Employee Moderator

2023-08-18T04:14:15.22+00:00

@Kaavyan Raghavan

Apologies for the delayed response as I was not keeping well last week. Yes, Currently we don't have any ways to encrypt secrets with CMK. I recommend you to post your idea on our feedback portal and let me know so that I could also vote for it.

Thanks,

Akshay Kaushik

Answer 2

Roopan P M 110

@Kaavyan Raghavan
- Have you achieved the functionality which you asked?
  - If yes, please let me know how you did that

Share via

How to encrypt secrets stored in key vault using customer managed keys

1 additional answer

Your answer