13_Vault_Key_Key_Rotation_Azure - Nirvan-Pandey/Azure_DOC GitHub Wiki
13_1: Introduction
In this lab, we will learn how to create and manage an Azure Key Vault, a service used to securely store and manage sensitive information such as API keys, passwords, certificates, and cryptographic keys. We will also explore key creation, key rotation, and automation of key rotation.
13_2: Prerequisites
Before we begin, ensure you have the following Azure resources and configurations:
Azure Subscription
Resource Group (e.g., HubRG-KeyVault)
Contributor or Key Vault-specific permissions for the user
13_3: Creating a Key Vault
Go to All Services -> Security ->Key Vaults.
Click Create.
Fill in the required details:
Subscription
Resource Group
Key Vault Name
Region
Click Review + Create, then Create.
Once deployed, we’ll see the Key Vault listed.
13_4: Giving Permission to Another User
Although the user who creates the Key Vault automatically gets access (especially with Azure RBAC), it's important to understand how to grant access to other users or applications.
There are two main permission models in Azure Key Vault:
Azure role-based access control (RBAC) (Recommended)
Manages access to Key Vault using roles assigned at the Azure resource level, supporting fine-grained, centralized
control.
Vault access policy
Manages access directly within the Key Vault itself, using explicit policies for each user or app. In this lab, we use Azure RBAC, as shown during Key Vault creation.
🧩 Step 1: Go to Access Control (IAM) Navigate to the Key Vault.
Select "Access control (IAM)" from the left-hand menu.
🧩 Step 2: Add Role Assignment Click “+ Add” > “Add role assignment”.
In the Role dropdown, choose a role like:
-
Key Vault Reader – to view the vault only.
-
Key Vault Secrets User – to read secrets.
-
Key Vault Administrator – to manage secrets, keys, and certificates.
In the Assign access to dropdown, choose User, group, or service principal.
We are choosing Key Vault Crypto Officer.
🔐 Role: Key Vault Crypto Officer
The Key Vault Crypto Officer role can be used if your primary responsibility is to manage cryptographic keys in the
Azure Key Vault. This role provides permissions specifically for cryptographic operations, such as creating, deleting,
and managing keys, without granting broader administrative access to the Key Vault.
Key Vault Crypto Officer Role Permissions:
-
Manage keys: Create, delete, import, and update keys.
-
Perform cryptographic operations: Encrypt, decrypt, sign, and verify using the keys.
-
Limited scope: Does not allow managing secrets, certificates, or access policies.
When to Use Key Vault Crypto Officer:
-
If you only need to manage cryptographic keys and perform cryptographic operations.
-
If you want to follow the principle of least privilege
Click Next, then Review + assign.
You’ll now see the user listed under the Role assignments tab.
🔐 Why This Is Important
Even though the Key Vault creator already has access, other users or services must be explicitly granted access to
interact with the vault.
This step ensures that access is securely managed using Azure RBAC.
13_5: Creating a Key in Key Vault
Open the Key Vault you just created.
In the left pane, select Keys > + Generate/Import.
Enter key details (name, type, size, etc.).
There are 2 Key types:
- RSA (Rivest–Shamir–Adleman): A widely used asymmetric encryption algorithm mainly for encryption, digital signatures,
and key exchange.
- EC (Elliptic Curve): A lightweight asymmetric encryption method using elliptic curve cryptography, known for strong
security with shorter key lengths, ideal for digital signatures and secure key generation.
Click Create.
✅ Use RSA when:
You need broad compatibility (RSA is more widely supported).
You're working with legacy systems or protocols like TLS, S/MIME, or JWTs that often default to RSA.
Your application performs encryption/decryption directly using Key Vault.
✅ Use EC when:
You want better performance with smaller key sizes (faster operations, less bandwidth).
You prioritize strong security with efficient key management (especially for mobile and IoT).
You are focused on digital signatures (EC is more efficient for signing/verification).
In summary: 🔐 RSA = Great for compatibility and encryption. 🌀 EC = Great for modern, lightweight, secure signing.
We have chosen RSA key in our case.
You should now see the key under the Keys section.
13_6: Manually Rotating a Key
Go to Keys and select your created key.
Click + New Version.
Provide new key material or generate automatically.
Click Create.
The new version will appear in the version list.
13_7: Automating Key Rotation
Select the key and go to Rotation Policy.
Click Enable to activate auto-rotation.
Define key expiration and rotation intervals.
Click Save.
Azure will now rotate the key automatically based on your policy.
13_8: Summary
🔐 Lab 13: Azure Key Vault Management
In this lab, you learn how to securely manage cryptographic keys using Azure Key Vault. The lab guides you through:
-
Creating a Key Vault under a selected resource group and subscription.
-
Assigning permissions using Azure Role-Based Access Control (RBAC), including the Key Vault Crypto Officer role for key-level operations.
-
Generating cryptographic keys, with an explanation of RSA vs EC key types and when to use each.
-
Manual key rotation by creating a new version of the existing key.
-
Automating key rotation using built-in policies for enhanced security and compliance.