JosMiguelLopezBecerra-2109 avatar image
0 Votes"
JosMiguelLopezBecerra-2109 asked JamesTran-MSFT commented

Azure Key Vault - Key Hierarchy

Does AKV support key hierarchy?
Say I have the BYOK approach where the customer key is at the very top of the hierarchy. And I want to use it to wrap other keys stored in AKV (say these other keys would be on Level 2, I should have full control of them, and be protected by the root key).

Is that possible?
Something similar to the picture.
The reason: We need the BYOK approach. And (like in the picture), we would like to grant "Account Key" to some resource, but without giving direct access to the root key.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your post!

There are features within Azure that let will allow you to use a Key from the Azure Key Vault (AKV) to wrap other keys. For example within Azure Disk Encryption (ADE), a user has the opportunity to leverage a Key Encryption Key (KEK) to encrypt their VM. This Key/KEK within the AKV will wrap around a VM's BitLocker Encryption Key (BEK), which is an AKV secret.

  • For your specific scenario, are you trying to wrap other keys stored in the AKV with the customer's key (which is in the AKV too)?

  • Are these other keys within the AKV going to be used for something within Azure (i.e. a DB)?

Any additional information is greatly appreciated!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

0 Answers