I am looking for someone who understands Key Vaults in Azure.

Question

I works for a small startup and we are starting to get data that we need to encrypt. We are using a data collection service that encrypts the data before sending it to us. I need to setup a key vault to handle the encryption key and distribute for permitted users. I am not sure if this is the correct place to look so any help would be greatly appreciated.

Thank You,

C.

Answer 1

Hi Chris,

Thank you for posting on Microsoft Learn !

Since your data collection service encrypts data before sending, you likely need:

1. A secure place to store the encryption key used by the service.
2. Controlled access for services or people in your organization who need to decrypt or re-encrypt the data.

I am detailing an example :

1.Create a Key Vault

• Go to Azure Portal → “Create a resource” → Search for Key Vault → Fill in details (Subscription, Resource Group, Region).
  • Choose an access configuration: Vault access policy (simpler) or Azure RBAC (recommended for new deployments).

2.Add your encryption key

• Navigate to the Key Vault → Keys → Generate/import.
  • If your service sends you a key, you can import it (usually as a .pem or .pfx).

1. Grant access to users/apps

• If using Vault access policies:
  • Under Access Policies, grant permission to a user, group, or managed identity (used by your app)
  • Select specific key permissions (Get, Unwrap Key, Wrap Key)
  • If using RBAC:
  • Assign the user/app a role like Key Vault Crypto User or Key Vault Administrator.

If you want to integrate with your app, then you can use use Azure SDKs or REST APIs to securely retrieve keys/secrets from Key Vault.

Or you can also configure Managed Identity for your Azure app or service so it can authenticate to Key Vault without storing credentials.

Links to help you :

https://learn.microsoft.com/en-us/azure/key-vault/keys/quick-create-portal

https://www.youtube.com/watch?reload=9&v=A8dJL43zDYA