Key auto-rotation in Azure Key Vault now GA!

Key auto-rotation in Azure Key Vault (preview) – Set-AzWebApp -name  "Anything Microsoft and other stuff on the side"

Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.

This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers end-to-end rotation.

And now it’s Generally available!

What the deal and what changed after GA?

I wrote about Key auto-rotation in December when it came out. So, let’s see what changed from December until now?

Permissions required

Key Vault key rotation feature requires key management permissions. You can assign a “Key Vault Administrator” role to manage rotation policy and on-demand rotation.

For more information on how to use RBAC permission model and assign Azure roles, see: Use an Azure RBAC to control access to keys, certificates and secrets

Let’s explore the options

You have two different access policy permission models.

RBAC based.

Vault Access policy

Policy based on RBAC

You have a Key Vault and will generate a new key and rotation policy to it.

And you will be displayed with the following error.

Go to Access control and add role assigment.

Add Key Vault Administrator

Here you can add Users, Groups, Service principals or even Managed identities.

What are managed identities?

I will choose users for demonstration purposes. You can check your rights from the same pane.

Then back to key rotation.

Now you can enable key rotation. In my example I chose expiration time to 1 year and rotation time for 355 days as there has to be lower than 358 days.

And with policy based permissions model.

You have to add “Get Rotation Policy” right.

Go to Access policies and add “Get Rotation Policy”

Go back to keys and you will see the same options for adding Key Rotation.

Trusted services

Here’s a list of trusted services that are allowed to access a key vault if the Allow trusted services option is enabled.

Trusted serviceSupported usage scenarios
Azure Virtual Machines deployment serviceDeploy certificates to VMs from customer-managed Key Vault.
Azure Resource Manager template deployment servicePass secure values during deployment.
Azure Disk Encryption volume encryption serviceAllow access to BitLocker Key (Windows VM) or DM Passphrase (Linux VM), and Key Encryption Key, during virtual machine deployment. This enables Azure Disk Encryption.
Azure BackupAllow backup and restore of relevant keys and secrets during Azure Virtual Machines backup, by using Azure Backup.
Exchange Online & SharePoint OnlineAllow access to customer key for Azure Storage Service Encryption with Customer Key.
Azure Information ProtectionAllow access to tenant key for Azure Information Protection.
Azure App ServiceApp Service is trusted only for Deploying Azure Web App Certificate through Key Vault, for individual app itself, the outbound IPs can be added in Key Vault’s IP-based rules
Azure SQL DatabaseTransparent Data Encryption with Bring Your Own Key support for Azure SQL Database and Azure Synapse Analytics.
Azure StorageStorage Service Encryption using customer-managed keys in Azure Key Vault.
Azure Data Lake StoreEncryption of data in Azure Data Lake Store with a customer-managed key.
Azure Synapse AnalyticsEncryption of data using customer-managed keys in Azure Key Vault
Azure DatabricksFast, easy, and collaborative Apache Spark–based analytics service
Azure API ManagementDeploy certificates for Custom Domain from Key Vault using MSI
Azure Data FactoryFetch data store credentials in Key Vault from Data Factory
Azure Event HubsAllow access to a key vault for customer-managed keys scenario
Azure Service BusAllow access to a key vault for customer-managed keys scenario
Azure Import/ExportUse customer-managed keys in Azure Key Vault for Import/Export service
Azure Container RegistryRegistry encryption using customer-managed keys
Azure Application GatewayUsing Key Vault certificates for HTTPS-enabled listeners
Azure Front DoorUsing Key Vault certificates for HTTPS


You can also add Key Rotation to ARM template with the following.

Monitoring Key Vault with Event Grid

Key Vault integration with Event Grid allows users to be notified when the status of a secret stored in key vault has changed. A status change is defined as a secret that is about to expire (30 days before expiration), a secret that has expired, or a secret that has a new version available. Notifications for all three secret types (key, certificate, and secret) are supported.

What are the limitations for Key Vault?

Key transactions (maximum transactions allowed in 10 seconds, per vault per region1)

Key typeHSM key
HSM key
All other transactions
Software key
Software key
All other transactions
RSA 2,048-bit51,000102,000
RSA 3,072-bit525010500
RSA 4,096-bit512510250
ECC P-25651,000102,000
ECC P-38451,000102,000
ECC P-52151,000102,000
ECC SECP256K151,000102,000

Secrets, managed storage account keys, and vault transactions

Transactions typeMaximum transactions allowed in 10 seconds, per vault per region1
All transactions2,000

1 A subscription-wide limit for all transaction types is five times per key vault limit. For example, HSM-other transactions per subscription are limited to 5,000 transactions in 10 seconds per subscription.

Backup keys, secrets, certificates

Transactions typeMaximum key vault object versions allowed
Backup individual key, secret, certfiicate500

Azure Private Link integration

Private endpoints per key vault64
Key vaults with private endpoints per subscription400

So how it’s comparing?

It’s identical with the options from Public Preview to Generally available, nice! Use it today for your vaults!

KEEP CALM IT STAYS IN THE VAULT Poster | Nicky, Sal, Lyndi &C | Keep Calm -o-Matic
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *