A reminder to myself: The point of the Azure Key Vault vault is less about keeping keys safe from Microsoft and more about managing access to keys. :) Sure you store keys in here and use it to encrypt disks etc. and you’d hope Microsoft don’t have access to the keys can can use them to decrypt your data… but that’s not the point of the Azure Key Vault.
The official docs have this line:
Finally, Azure Key Vault is designed so that Microsoft does not see or extract your data.
And that always makes me think “but how can I verify this statement?!”. Sure it is “designed” but there’s no real details on why the design is such that Microsoft cannot see or extract my data in the Key Vault, so can I really trust it?
Then today I had a flashbulb moment where I realized the Key Vault is really just for controlling access to Keys within my tenant. You store keys, certs, or secrets in the Key Vault and then you can define access to these to your users or services. Rather than storing a key in (say) a VM, you store these in a central place and only control access to them.
If you want to hide keys from Microsoft you can use your own HSM. You could use Microsoft’s own HSM by going with a Premium SKU for the vault, or even better go with your own.
Azure Key Vaults may be either software-protected or, with the Azure Key Vault Premium tier, hardware-protected by hardware security modules (HSMs). Software-protected keys, secrets, and certificates are safeguarded by Azure, using industry-standard algorithms and key lengths. For situations where you require added assurance, you can import or generate keys in HSMs that never leave the HSM boundary.
You can generate a key within the HSM or import one. You can also import a key when on the Standard SKU (i.e. not using an HSM). I guess that has its use if you want to bring an on-premises key into the Vault, but if you are starting afresh there’s no difference and you might as well generate one in Azure Key Vault itself – it’s not like importing the key “hides” it from Microsoft. If you are using your own HSM then importing keys is supported since May 2020 (I guess previously you could only generate new ones).