Edit

Share via


Secrets and key management

Confidential computing provides advanced capabilities for protecting secrets and keys while they're in use to enhance the security posture of an application.

Confidential computing-enabled services use keys managed by the hardware root of trust to inform attestation services and encrypt and decrypt data inside the Trusted Execution Environment (TEE).

Keys are an important part of protection for confidential virtual machines (CVMs) and many other services built on CVMs like confidential node pools on Azure Kubernetes Service or data services that support confidential products like Azure Data Explorer.

For example, you can configure systems so that keys are released only after the code proves (via attestation) that it's executing inside a TEE. This behavior is known as secure key release. This powerful feature is useful for applications that need to read encrypted data from Azure Blob Storage into a TEE where it can be securely decrypted and processed in the clear.

CVMs rely on virtual Trusted Platform Modules (vTPMs). You can read more about this technology in Virtual TPMs in Azure.

The Azure Key Vault Managed HSM offering is built on confidential computing technologies. You can use it to enhance access control of the secrets and keys for an application.