13_Vault_Key_Key_Rotation_Azure - Nirvan-Pandey/Azure_DOC GitHub Wiki

13_1: Introduction

In this lab, we will learn how to create and manage an Azure Key Vault, a service used to securely store and manage sensitive information such as API keys, passwords, certificates, and cryptographic keys. We will also explore key creation, key rotation, and automation of key rotation.

13_2: Prerequisites

Before we begin, ensure you have the following Azure resources and configurations:

Azure Subscription

Resource Group (e.g., HubRG-KeyVault)

Contributor or Key Vault-specific permissions for the user

13_3: Creating a Key Vault

Go to All Services -> Security ->Key Vaults.

Click Create.

image

Fill in the required details:

Subscription

Resource Group

Key Vault Name

Region

Click Review + Create, then Create.

image

image

image

image

image

image

image

Once deployed, we’ll see the Key Vault listed.

13_4: Giving Permission to Another User

Although the user who creates the Key Vault automatically gets access (especially with Azure RBAC), it's important to understand how to grant access to other users or applications.

There are two main permission models in Azure Key Vault:

Azure role-based access control (RBAC) (Recommended)

Manages access to Key Vault using roles assigned at the Azure resource level, supporting fine-grained, centralized

control.

Vault access policy

Manages access directly within the Key Vault itself, using explicit policies for each user or app. In this lab, we use Azure RBAC, as shown during Key Vault creation.

🧩 Step 1: Go to Access Control (IAM) Navigate to the Key Vault.

Select "Access control (IAM)" from the left-hand menu.

image

🧩 Step 2: Add Role Assignment Click “+ Add” > “Add role assignment”.

image

In the Role dropdown, choose a role like:

  • Key Vault Reader – to view the vault only.

  • Key Vault Secrets User – to read secrets.

  • Key Vault Administrator – to manage secrets, keys, and certificates.

In the Assign access to dropdown, choose User, group, or service principal.

We are choosing Key Vault Crypto Officer.

🔐 Role: Key Vault Crypto Officer

The Key Vault Crypto Officer role can be used if your primary responsibility is to manage cryptographic keys in the

Azure Key Vault. This role provides permissions specifically for cryptographic operations, such as creating, deleting,

and managing keys, without granting broader administrative access to the Key Vault.

Key Vault Crypto Officer Role Permissions:

  • Manage keys: Create, delete, import, and update keys.

  • Perform cryptographic operations: Encrypt, decrypt, sign, and verify using the keys.

  • Limited scope: Does not allow managing secrets, certificates, or access policies.

When to Use Key Vault Crypto Officer:

  • If you only need to manage cryptographic keys and perform cryptographic operations.

  • If you want to follow the principle of least privilege

image

Click Next, then Review + assign.

image

image

You’ll now see the user listed under the Role assignments tab.

🔐 Why This Is Important

Even though the Key Vault creator already has access, other users or services must be explicitly granted access to

interact with the vault.

This step ensures that access is securely managed using Azure RBAC.

13_5: Creating a Key in Key Vault

Open the Key Vault you just created.

In the left pane, select Keys > + Generate/Import.

image

image

Enter key details (name, type, size, etc.).

There are 2 Key types:

  • RSA (Rivest–Shamir–Adleman): A widely used asymmetric encryption algorithm mainly for encryption, digital signatures,

and key exchange.

  • EC (Elliptic Curve): A lightweight asymmetric encryption method using elliptic curve cryptography, known for strong

security with shorter key lengths, ideal for digital signatures and secure key generation.

Click Create.

✅ Use RSA when:

You need broad compatibility (RSA is more widely supported).

You're working with legacy systems or protocols like TLS, S/MIME, or JWTs that often default to RSA.

Your application performs encryption/decryption directly using Key Vault.

✅ Use EC when:

You want better performance with smaller key sizes (faster operations, less bandwidth).

You prioritize strong security with efficient key management (especially for mobile and IoT).

You are focused on digital signatures (EC is more efficient for signing/verification).

In summary: 🔐 RSA = Great for compatibility and encryption. 🌀 EC = Great for modern, lightweight, secure signing.

image

We have chosen RSA key in our case.

You should now see the key under the Keys section.

image

13_6: Manually Rotating a Key

Go to Keys and select your created key.

Click + New Version.

image

image

Provide new key material or generate automatically.

Click Create.

image

The new version will appear in the version list.

13_7: Automating Key Rotation

Select the key and go to Rotation Policy.

image

Click Enable to activate auto-rotation.

Define key expiration and rotation intervals.

Click Save.

image

image

Azure will now rotate the key automatically based on your policy.

13_8: Summary

🔐 Lab 13: Azure Key Vault Management

In this lab, you learn how to securely manage cryptographic keys using Azure Key Vault. The lab guides you through:

  • Creating a Key Vault under a selected resource group and subscription.

  • Assigning permissions using Azure Role-Based Access Control (RBAC), including the Key Vault Crypto Officer role for key-level operations.

  • Generating cryptographic keys, with an explanation of RSA vs EC key types and when to use each.

  • Manual key rotation by creating a new version of the existing key.

  • Automating key rotation using built-in policies for enhanced security and compliance.