Introduction to Key Vault in Azure Stack Hub


Key Vault basics

Key Vault in Azure Stack Hub helps safeguard cryptographic keys and secrets that cloud apps and services use. By using Key Vault, you can encrypt keys and secrets, such as:

  • Authentication keys
  • Storage account keys
  • Data encryption keys
  • .pfx files
  • Passwords

Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then seamlessly migrate them to production keys. Security admins can grant (and revoke) permissions to keys as needed.

Anybody with an Azure Stack Hub subscription can create and use key vaults. Although Key Vault benefits developers and security administrators, the operator who manages other Azure Stack Hub services for an organization can implement and manage it. For example, the Azure Stack Hub operator can sign in with an Azure Stack Hub subscription and create a vault for the organization in which to store keys. Once that's done, they can:

  • Create or import a key or secret.
  • Revoke or delete a key or secret.
  • Authorize users or apps to access the key vault so they can then manage or use its keys and secrets.
  • Configure key usage (for example, sign or encrypt).

The operator can then provide developers with Uniform Resource Identifiers (URIs) to call from their apps.

Developers can also manage the keys directly by using APIs. For more info, see the Key Vault developer's guide.


The following scenarios describe how Key Vault can help meet the needs of developers and security admins.

Developer for an Azure Stack Hub app

Problem: I want to write an app for Azure Stack Hub that uses keys for signing and encryption. I want these keys to be external from my app so that the solution is suitable for an app that is geographically distributed.

Statement: Keys are stored in a vault and invoked by a URI when needed.

Developer for software as a service (SaaS)

Problem: I don't want the responsibility or potential liability for my customer's keys and secrets. I want customers to own and manage their keys so that I can concentrate on doing what I do best, which is providing the core software features.

Statement: Customers can import and manage their own keys in Azure Stack Hub.

Chief Security Officer (CSO)

Problem: I want to make sure that my organization is in control of the key lifecycle and can monitor key usage.

Statement: Key Vault is designed so that Microsoft does not see or extract your keys. When an app needs to perform cryptographic operations by using customer keys, Key Vault uses the keys on behalf of the app. The app does not see the customer keys. Although we use multiple Azure Stack Hub services and resources, you can manage the keys from a single location in Azure Stack Hub. The vault provides a single interface, regardless of how many vaults you have in Azure Stack Hub, which regions they support, and which apps use them.

Next steps