Azure Key Vault Keys

Keys in Azure Key Vault (KV):

KV Key Types

The following table summarizes supported KV key types and BYOKClosedBring Your Own Key / non-BYOKClosedBring Your Own Key key creation options.

  Key type   Size/Curve non-BYOK BYOK
RSA 2048, 3072, 4096
EC P256, P384, P521, SECP256K1

Reference:

KV Crypto Operations and Algorithms

The following table summarizes UID-based crypto operations supported by Azure.

Key type Decrypt/Encrypt Sign/Verify Wrap/Unwrap
RSA
ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields  

Note: When generating or importing the external keystore key via CORE, it is sufficient to specify Decrypt to enable both Decrypt and Encrypt. The same applies to Sign and to Unwrap. See Azure KV Key Operations.

RSA (RSA algorithms) for Keys 2K, 3K, 4K

Decrypt and Unwrap
PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.-V1_5
OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with SHA1
OAEPClosedOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with SHA256

Sign
PSSClosedprobabilistic signature scheme. Abbreviation of RSASSA-PSS with SHA256, SHA384, and SHA512
PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.-V1_5  SHA256, SHA384, and SHA512

ECCClosedElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields (EC algorithms)

Sign
P256 with sha256
P384 with sha384
P521 with sha512
SECP256k1 with sha256

KV Key Management Operations

The following table compares CORE and KV key management options and references Key Vault documentation for further details.

Operation CORE KV  Comment / Differences Reference
Generate
  • Creating a key with the existing name in KV generates a new version of a key.

Create Key

Import

Import Key

 

BYOK Import

Key policy
  • CORE provides a fine-grain policy down to the level of specifying permitted and restricted operations and algorithmic parameters (size, hash, padding, mode). The policy is defined for each partition, and it applies to all keys in the partition.

  • KV crypto-operation policy is per key.
 
Delete / Destroy
  • CORE provides three flavors of delete: Revoke, Discard and Delete. All actions are non-reversible.
  • Upon its creation, a key is marked as 'purgeable'. It allows erasing the key by a privileged user or by the system at the end of its retention period.
  • KV provides Delete and Purge options:
    • The delete decision may be reversed.
    • The purge is final.
    • When applied to a rotated key, it impacts all keys in the chain.

Delete Key

 

Deletion Recovery Level

 

Purge Key

Cancellation of Delete  
  • Once a deleted key is restored in KV, you can link to it from the CORE. A BYOKClosedBring Your Own Key becomes a linked key.

Soft Delete

Activate / Revoke

  • KV allows specifying 'not before' and 'expiry" dates

 

 

Update Key

Enable  
Disable  
Rekey / Rotate
  • A key must be rotated only by KV.
  • KV maintains all rotated keys as versions of the original key. Linked keys in CORE allow tracking the linked list of the rekeyed keys.

Key Rotation

Get Info
  • KV key metadata includes:
    • time parameters: created, updated, not before, not after
    • recovery parameters: soft-delete retention days, privileges required to recover a key.

Get Key

 

Key attributes

Get Public
  • KV requires specifying the key version.

Get Key

Get Private  
  • Exporting of private or secret material from Azure is not supported.
 
Backup / Restore
  • KV allows backup of individual keys for transfer to another key vault.
  • KV also provides 'full' backup to Azure storage containers.
  • CORE provides full backup and secure transfer of keys to/from the air-gapped vault.

Key Backup

Full Backup

Note: the ≈ sign indicates the availability of alternatives.