Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,100 questions
Azure Key Vault - Key Hierarchy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 61%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
José Miguel Lopez Becerra
6
Reputation points
Does AKV support key hierarchy?
Say I have the BYOK approach where the customer key is at the very top of the hierarchy. And I want to use it to wrap other keys stored in AKV (say these other keys would be on Level 2, I should have full control of them, and be protected by the root key).
Is that possible?
Something similar to the picture.
The reason: We need the BYOK approach. And (like in the picture), we would like to grant "Account Key" to some resource, but without giving direct access to the root key.
{count} votes
-
JamesTran-MSFT 36,361 Reputation points Microsoft Employee2021-04-08T21:38:07.573+00:00 @José Miguel Lopez Becerra
Thank you for your post!There are features within Azure that let will allow you to use a Key from the Azure Key Vault (AKV) to wrap other keys. For example within Azure Disk Encryption (ADE), a user has the opportunity to leverage a Key Encryption Key (KEK) to encrypt their VM. This Key/KEK within the AKV will wrap around a VM's BitLocker Encryption Key (BEK), which is an AKV secret.
- For your specific scenario, are you trying to wrap other keys stored in the AKV with the customer's key (which is in the AKV too)?
- Are these other keys within the AKV going to be used for something within Azure (i.e. a DB)?
Any additional information is greatly appreciated!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Sign in to comment