Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,451 questions
Azure Key Vault - Key Hierarchy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 61%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
José Miguel Lopez Becerra
21
Reputation points
Does AKV support key hierarchy?
Say I have the BYOK approach where the customer key is at the very top of the hierarchy. And I want to use it to wrap other keys stored in AKV (say these other keys would be on Level 2, I should have full control of them, and be protected by the root key).
Is that possible?
Something similar to the picture.
The reason: We need the BYOK approach. And (like in the picture), we would like to grant "Account Key" to some resource, but without giving direct access to the root key.
Azure Key Vault
{count} votes
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2021-04-08T21:38:07.573+00:00 @José Miguel Lopez Becerra
Thank you for your post!There are features within Azure that let will allow you to use a Key from the Azure Key Vault (AKV) to wrap other keys. For example within Azure Disk Encryption (ADE), a user has the opportunity to leverage a Key Encryption Key (KEK) to encrypt their VM. This Key/KEK within the AKV will wrap around a VM's BitLocker Encryption Key (BEK), which is an AKV secret.
- For your specific scenario, are you trying to wrap other keys stored in the AKV with the customer's key (which is in the AKV too)?
- Are these other keys within the AKV going to be used for something within Azure (i.e. a DB)?
Any additional information is greatly appreciated!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sign in to comment
Sign in to answer