About keys
Azure Key Vault provides two types of resources to store and manage cryptographic keys:
| Resource type | Key protection methods | Data-plane endpoint base URL |
|---|---|---|
| Vaults | Software-protected |
https://{vault-name}.vault.azure.cn |
- Vaults - Vaults provide a low-cost, easy to deploy, multi-tenant, zone-resilient (where available), highly available key management solution suitable for most common cloud application scenarios.
Note
Vaults also allow you to store and manage several types of objects like secrets, certificates and storage account keys, in addition to cryptographic keys.
Cryptographic keys in Key Vault are represented as JSON Web Key [JWK] objects. The JavaScript Object Notation (JSON) and JavaScript Object Signing and Encryption (JOSE) specifications are:
The base JWK/JWA specifications are also extended to enable key types unique to the Azure Key Vault implementation.
Key types and protection methods
Key Vault supports RSA, EC and symmetric keys.
Software-protected keys
| Key type | Vaults |
|---|---|
| RSA: "Software-protected" RSA key | Supported |
| EC: "Software-protected" Elliptic Curve key | Supported |
See Key types, algorithms, and operations for details about each key type, algorithms, operations, attributes, and tags.
Usage Scenarios
| When to use | Examples |
|---|---|
| Azure server-side data encryption for integrated resource providers with customer-managed keys | - Server-side encryption using customer-managed keys in Azure Key Vault |
| Client-side data encryption | - Client-Side Encryption with Azure Key Vault |
| Keyless TLS | - Use key Client Libraries |