Azure Key Vault

In this blog:

• Configuring Azure Key Vault.

• Adding a secret.

• Key Vault Access Policies.

• Generating a key.

This blog is about Securing Sensitive Data in Azure with Key Vault & Governance Policies.

➡️Click here to see my subsequent blog on Azure Policies.

🛠️ Configuring Azure Key Vault

1️⃣ Go to Azure Portal → Search "Key Vaults"

Hit Create:

Key Vault settings:

• Resource Group: RG-KeyVaultLab (I created a new resource group – click here to learn more about resource groups 👉https://spcyber.wixsite.com/shonepcyber/post/setting-up-an-azure-network-security-lab-az-500-study-series#viewer-lvxpi3484

• Key Vault Name: something like kv-shone -lab1

• Region: same as your other labs (e.g., UK West)

• Pricing Tier: Standard

• RBC Permissions Model: RBAC (VERY important!)

Public access: Allow all networks for now (we’ll tighten later)

✔️ Create the vault

✔️ Wait 10–20 seconds

🙊 Adding a secret

2️⃣ Add a Secret (The fun begins)

Before creating, make sure you have the appropriate permissions. To manage PIM, you will need an Entra P2 free trial.

My username is -- shonepious@spcyber150.onmicrosoft.com.

Once your new account is created, sign into the Azure portal with this new account and create a subscription. To learn more about this trial, click here 👉https://spcyber.wixsite.com/shonepcyber/post/azure-identity-lab-securing-users-with-conditional-access-mfa-entra-id-p2#viewer-nl9ou42000:

Go inside your Key Vault → Secrets → Generate/Import

• Name: db-password

• Value: superstrongpass123 (anything will do)

Click Create.

You now have a real secret stored securely, encrypted with a Microsoft-managed HSM key.

I couldn’t create the secret. This shows the importance of access policies in the key vault. This next section will take you through configuring the appropriate policies for accessing and performing activities on the secret/key/certificates themselves.

🚨 Key Vault Access Policies

So I have to go back to the Key Vault and set the access configuration to ‘Vault access policy’, then I need to create an access policy for the secrets – I'm going to select all.

I'm going to set myself as the service principal. I did the same for the key and certificate settings.

The secret has now been created!

🔑 Generating a key

Go into the key vault, and tap create a key, and configure it as I have in the image below:

And that's the end of this short blog!

We have:

✔️ Created and configured a secure Key Vault in Azure.

✔️ Generated a Secret and a Key in the vault.

✔️ Configured access policies to allow us to perform actions on the keys, secrets and certificates in the vault.