Azure Key Vault

We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow

Do you have an idea or a suggestion for Azure Key Vault based on your experience?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Support storing certificates without private keys

    Right now keyvault doesn't allow storing a certificate WITHOUT the private key in the keyvault. This is useful for a number of use-cases, eg:

    * storing an internal CA public cert in the same place other internal certs are stored
    * Store the public cert for trusted clients, where the private key is only on the client

    The "workaround" right now is to store unsupported cert forms either in a storage account, or as secrets. Storage accounts aren't ideal b/c they are conceptually separate and are not audited in the same way; and don't support the same ability to browse…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow more than 24 characters for key vault name length

    Please allow more than 24 characters for key vault name length. Using a standard naming convention across Azure resources that includes the resource type, region, and landscape doesn't leave many characters for the key vault name. Web Apps also utilize globally unique DNS names and support up to 60 characters. Supporting up to 60 character names would make it easier for us to use our standardized naming convention.

    67 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  3. Notify Users when secrets/keys are expiring

    Currently certificates management supports email notification when certificates are expiring. Wouldn't it be great to have the same functionality for keys and secrets?

    136 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    27 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  4. Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding

    Export Certificate as PKCS12/PFX Does Not Provide Passphrase Encoding.

    According to PCKS #12 we should have a password to protect the private key that is exported with the cert. Currently the key vault gives you a warning during export/download that no password is used, however it doesn't provide the capability to provide a passphrase.

    Strangely enough the API Manager and other Azure Resources require imported certificates to have a passphrase. This makes the two services fairly incompatible.

    It would be good if Certificates exported from KeyVaults have the option to protect the private key with a passphrase as per PKCS…

    19 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  5. Update Key Vault EC Key SECP256K1 curve name to P-256K

    Currently there exists a breaking discrepancy between Azure Portal and Azure CLI.

    When you create an EC Key via the Portal, the curve name in question is labelled as SECP256K1, and expects the signing algorithm to be ECDSA256.

    This is the legacy naming convention (keyvault-preview). See https://docs.microsoft.com/en-us/cli/azure/ext/keyvault-preview/keyvault/key?view=azure-cli-latest#ext-keyvault-preview-az-keyvault-key-create

    When you create the same type of key via Azure CLI, the curve name is P-256K and expects the signing algorithm to be ES256. This is the "release" naming convention. See https://docs.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-create

    Functionally, these keys are identical. But the discrepancy in the naming convention makes it difficult for a project to support keys…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Simplify key rotation process

    Make it easier to rotate keys. Currently, when creating a new version it becomes the default version immediately - which makes the process very risky. It will be better to be able to do this process manually (marking a key as default) - so I can do it when I'm ready. Or, even better - support decrtpting using the old keys like AWS KMS or GCP KMS are doing.

    References:
    https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
    https://cloud.google.com/kms/docs/key-rotation

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  7. ARM Template for KeyVault to have AccessPolicies non-mandatory

    Hi,
    It would be better for idempotency and the ability to create Keyvault first, with additional incrementally run ARM templates to have AccessPolicies as non-mandatory.

    It is already possible to incrementally add AccessPolicies once you have a KeyVault, but it is not possible to create or update a Keyvault via ARM without specifying the AccessPolicies... which is a problem for update - you need to know all the existing AccessPolicies before you do the update or it will get reverted to whatever you specify.

    51 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    7 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  8. Secret Names do not support special characters

    In order for our organization to fully adopt Azure Key Vault for managing passwords and secrets we need to be able to support at a minimum allowing _ (underscrores) and other special characters in the naming convention as we have hundreds of names that contain underscores in them such as account_test, account_prd, etc..

    Reading through the documentation online I can't find any technical reason as to why special characters aren't supported but this is a show stopper at this point for us until this is added/supported.

    66 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  9. Include Azure Automation on Key Vault Firewall under "Trusted Microsoft Services"

    Currently, Azure Automation accesses Azure Key Vaults through public endpoints (Azure Data Center Public IPs). As such, Automation cannot function unless a firewall exclusion is in place in the key vault settings. Unfortunately, Azure has hundreds of public IP addresses, which could change at a moments notice. This, in effect, negates use of the Key Vault firewall altogether and requires you to allow incoming untrusted networks.

    There is a firewall setting "Allow Trusted Microsoft Services", which allows select services to bypass the firewall. Automation is *not* included in this list. It would be a great help to include it; immediately…

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure Key Vault should support KMIP

    Lack of support for KMIP (Key Management Interoperability Protocol) in Azure Key Vault requires applications already using this industry standard to be partially rewritten. Azure Key Vault should support KMIP.

    14 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  11. include functions as a trusted service in key vault firewall exceptions

    Include functions as a trusted service in key vault firewall exceptions. Why wouldn't you include all Azure services - unless we don't trust Azure PaaS anymore? ;-)

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →

    Thanks for the valid suggestion. Your feedback is now open for the user community to up-vote & comment on. This allows us to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.

  12. Improve PowerShell error messages

    Hello,

    I found an issue that when calling get-AzKeyVaultSecret from PS, it returns useless error "forbidden". When instead I call az keyvault secret show from Bash, i get error that "IP address *** not allowed".

    PS Azure:\> Get-AzKeyVaultSecret -vaultname tbtest3-kv
    Get-AzKeyVaultSecret : Operation returned an invalid status code 'Forbidden'
    At line:1 char:1
    + Get-AzKeyVaultSecret -vaultname tbtest3-kv
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : CloseError: (:) [Get-AzKeyVaultSecret], KeyVaultErrorException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.GetAzureKeyVaultSecret

    tomas@Azure:~$ az keyvault secret show --name "AppSecret" --vault-name "tbtest3-kv"
    Client address (137.117.226.47) is not authorized and caller is not a trusted service

    The IP restriction is intentional, but it appears so…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  13. Per-secret/key/certificate access control

    Currently it's an all or nothing model. To grant a user account or app id access to one secret, you have to grant it access to the entire vault (as far as I can tell). This eliminates the possibility of least privilege access to secrets. In this model, the only way to create security boundaries for individual secrets is to create additional key vaults, which could get out of control fast if we need one key vault per application per environment. A better model would be to have independent access controls on both the vault and the individual secrets.

    For…

    213 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  18 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support encryption/decryption for Elliptic Curve Cryptography, eg. for ECDH

    Currently only Sign and Verify action can be executed with elliptic curve (EC) keys. Add a possibility to use EC keys also for encryption and decryption (together with counterpart public key).
    For example, EC keys are used for encryption/decryption in steem blockchain.

    10 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  15. The Key vault should not allow it to be deleted

    The Key vault should not allow it to be deleted, as long as it has associations with other resources. In Azure the vast majority of resources have this restriction, for a resource as important as the Key Vault should also have this validation before allowing its elimination.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  16. Active Directory Certificate Service as external CA Provider

    Create an integration that allows the use of an existing on-prem or Azure VM Active Directory Certificate Services' CA to issue certificates.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Certificates  ·  Flag idea as inappropriate…  ·  Admin →
  17. Snapshot Entire Vault for Backup and Restore

    The current backup/restore solution for Keyvault keys, secrets and certs takes a lot of time to perform.
    It would be great if you could snapshot a whole Keyvault and save the backup. This would allow restore to use that backup snapshot.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add support for PGP keys

    Many of our vendors require us to send them files via SFTP using their public encryption keys most of which are PGP keys. As we start to migrate our Managed File Transfer service to Azure we'd like to leverage storing these keys in Azure Key Vault

    3 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Managing application secrets  ·  Flag idea as inappropriate…  ·  Admin →
  19. Support for Ed25519 SSH keys in Azure Key Vault

    as per https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys
    'Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.'

    As ED25519 standard is more and more popular, also faster, more secure and supported out of the box on likes of Ubuntu and other platforms using latest OpenSSH it would be very handy addition.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
  20. Fix the article on Key Vault backups

    This article https://blogs.technet.microsoft.com/kv/2018/07/20/announcing-backup-and-restore-of-keys-secrets-and-certificates/ has some pretty major errors, such as stating that the CLI command line to backup a secret is the same as the one to backup a key. Someone needs to review and correct this article.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Other  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6
  • Don't see your idea?

Feedback and Knowledge Base