Azure Key Vault is a cloud service provided by Microsoft Azure for securely storing and managing cryptographic keys, certificates, secrets, and other sensitive information. It is widely used to safeguard cryptographic keys and secrets used by cloud applications and services.
The Azure Key Vault plugin:
- Connects to your Azure Key Vault using Azure Active Directory (Azure AD) service principal authentication with client credentials.
- Discovers all certificates, keys, and secrets in the vault.
- X.509 certificates—the plugin does the following:
- Discovers X.509 certificates stored in Azure Key Vault.
- Exports the PEM-encoded certificate body in RFC 7468-compliant format.
- Returns comprehensive certificate metadata.
- Asymmetric keys—The plugin discovers the following asymmetric keys and exports the PEM-encoded public key.
Algorithm
Description
RSA
RSA-2048, RSA-3072, RSA-4096, RSA-HSM variants
Elliptic curve
P-256, P-384, P-521, P-256K, EC-HSM variants
- Symmetric key—The plugin discovers the following symmetric keys and exports metadata only. No key material is exported.
OKP
Ed25519 only; no HSM variant
OCT
Symmetric AES key (OCT-HSM variants)
- Secrets—The plugin discovers generic secrets, including those containing PEM-encoded keys, but only exports metadata. Secret values are not retrieved. For example, if a secret contains a PEM-encoded private or symmetric key, it is classified and reported, but the key material is not exported.
- X.509 certificates—the plugin does the following:
- Exports PEM-encoded certificate bodies and public keys for asymmetric keys, along with comprehensive metadata.
For security reasons, private key bodies and symmetric key bodies are never exported. Only metadata is returned for these asset types.