none
Key Vault Security Assurance RRS feed

  • Question

  • Hello,

    What kind of security assurance does Azure key Vault provides?

    The keys will be stored in HSM: So I have the Assurance that the device cannot tampered.

    But Azure Keyvault is "managing" the keys in term authorization : regardless of the key storage security what assurance we have in term of keyvault level authorization tampering.

    Thanks

    Thursday, April 18, 2019 4:30 PM

All replies

  • Hello Amine, 

    Please go through this doc , which explains how to secure a  key vault in detail. Feel free to come back with any questions you might have regarding this. 

    Monday, April 22, 2019 5:43 AM
    Moderator
  • Let us know if you found the above reply useful and please remember to mark as answer so that others in the community who may have the same question can more easily find a solution.
    Thursday, May 2, 2019 11:11 PM
    Moderator
  • Thanks Manoj, That document explains how to secure the access to KeyVault but does not answer my question

    My question was about the technical assurance my organization could have against any unauthorized access from the the cloud provider ( MS here).

    I believe the answer is now since its a PaaS Solution so we cannot have full control but wanted to confirm.

    Saturday, May 4, 2019 9:15 PM
  • While the keys are stored in Azure, Key Vault is designed so that Microsoft does not see or extract your keys. When an application needs to perform cryptographic operations by using customer keys, Key Vault uses the keys on behalf of the application. For added assurance, you can import or generate keys in HSMs that are FIPS 140-2 Level 2 validated.

    https://docs.microsoft.com/en-us/azure/key-vault/key-vault-whatis

    https://docs.microsoft.com/en-us/azure-stack/user/azure-stack-key-vault-intro


    Wednesday, May 8, 2019 6:09 PM
    Moderator
  • Hi I’d like to follow up on this thread as we too have the same concerns as the original poster. I’ve been through the Microsoft documentation and I recognise the statement “…Key Vault is designed so that Microsoft does not see or extract your keys…”. What I’m looking for is a statement which confirms that Microsoft *cannot* see or extract keys from Key Vault. This is an important data privacy principle for us since we process sensitive customer data.


    Thanks

    Allan

    Wednesday, June 26, 2019 3:30 PM
  • Hi, is it possible that Marilee is able to provide a response to this post please? Both myself and the Amine.G have indicated that we would like some clarification around Microsoft's ability or inability to access the Key vault? 

    Thanks

    Allan Winter

    Monday, July 22, 2019 9:33 AM
  • Hi Allan, 

    I am working internally to confirm this so that we can get the document updated. I will provide an update regarding this within a couple of days.  

    Tuesday, July 23, 2019 7:09 AM
    Moderator
  • Hi Allan,

    Please send us an email at AzCommunity@microsoft.com and we will put you in touch with a PM from the Key Vault team today who can discuss this with you in greater detail, confirm that Microsoft does not see or extract the keys, and explain the details of how the process works. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Tuesday, July 23, 2019 10:36 PM
    Moderator
  • Hi, I dropped an email yesterday, 24/07/2019 as directed as above, just waiting on a response.

    Thanks

    Allan

    Thursday, July 25, 2019 8:03 AM
  • Thanks Allan.

    I've looped you into an email with someone from the Key Vault team who will answer your question.

    I have also sent a reply.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!


    Thursday, July 25, 2019 6:53 PM
    Moderator
  • Hey Allan, please let me know if the reply was satisfactory and if you need anything else.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, July 25, 2019 11:43 PM
    Moderator
  • Hey Allan, please let me know if the reply was satisfactory and if you need anything else.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Hey Marilee, the purpose of community is to share the knowledge , please share any useful reply that was provided over email.

    Friday, July 26, 2019 8:49 AM
  • Any update please?
    Monday, August 5, 2019 6:08 PM
  • As mentioned before, this unfortunately is not information that I can post publicly, but the answer was shared in the email thread that you were looped into. 

    Feel free to reach me again at AzCommunity@microsoft.com, or at my personal email (linked in my profile), if you have further questions. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Monday, August 5, 2019 11:30 PM
    Moderator
  • Hi Amine,

    Let me know if the email resolved your concerns and if you have any more questions I can help with.

    Thanks,

    Marilee


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, August 7, 2019 1:03 AM
    Moderator