Azure Key Vault
We are listening! Please take a few moments to submit your ideas or up-vote already submitted ideas by others. Azure Key Vault team regularly monitors and reviews all feedback submitted on this forum. You will be one of the first to know when a requested feature will be worked on! So be sure to vote or submit your ideas! Remember this site is for feature suggestions and ideas. For technical questions please try documentation, MSDN Forum or StackOverFlow
-
Support key derivation function for ECDH
Add the possibility to use EC keys also for key derivation like in this example: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.ecdiffiehellmancng?view=dotnet-plat-ext-5.0#examples
It seems that other Cloud HSM are able to do this: https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-mechanisms.html#pkcs11-mech-annotations-5
1 vote -
Hi, Subscription name should be coped to log analytic so can easily can answer with name for any query
Log analytic
1 vote -
Setting minimum TLS version
KeyVaults should let users determine the minimum TLS version to use. This is inline with many other azure services (ex. Web Apps, Functions, SQL), increases security and is more future proof (TLS 1.0 and 1.1 is quite old).
6 votes -
Within documentation or in the product overview pages include a list of other Azure services that are dependencies for Key Vault
When large organizations adopt cloud services they may evaluate the cloud service in depth, along with all other cloud services that must or may be adopted as dependencies of the primary service being planned for use. An example is that when adopting Azure Key Vault a customer will be required to adopt Azure Active Directory if not already adopted, and therefore adopting Key Vault will necessitate an in-depth security assessment of Azure AD in addition to Key Vault.
Currently Microsoft does not list dependencies of any kind on the product web pages of all the many Azure services. This obliges…
1 vote -
Key Vault performance issue breaks Azure Functions
When retrieving the Azure Functions host key, the service sometimes returns a GatewayTimeout error.
The Azure Web App support team analyzed the issue and identified a Key Vault performance issue as the root cause.
"More specific, the related KeyVault API call took longer than expected. As a result of this issue, the related function site failed to be started properly so “ListKey” threw out “Timeout” exception [...]"
Please vote for implementing "Key Vault Reference Perf Improvements".
5 votes -
HMAC signing
As an application developer, I have had a number of situations where HMAC signing has been a key part of application security, such as:
- Signing “local” session tokens (JWT, cookies, etc)
- Third-party integrations (API authentication)
- Integrity of data at rest
In many of these scenarios, ECC signing is either too heavy or not possible due to third-party dependencies. For scenarios where the same Key Vault can do the signing and verification, it would be ideal for us to be able to either generate or import a symmetric key in Key Vault for use with HMAC.
This would allow us to…
1 vote -
Remove option to toggle IP config from dynamic to static
As per documentation: "When creating a private endpoint, a read-only network interface is also created for the lifecycle of the resource. The interface is assigned dynamically private IP addresses from the subnet that maps to the private link resource. The value of the private IP address remains unchanged for the entire lifecycle of the private endpoint."
However now the system lets you go into the NIC, go into the IP cofig and toggle the IP settings from dynamic to static. This is not allowed by the system and results in an error when saving. Please remove this option from here…1 vote -
Multi-Region Key Vault
Currently, Key Vault only supports one single region via collocation constraint, but there are usecases which having a multi-region Key Vault is necessary such as Encryption Scope.
What I am suggesting is to implement a version of Key Vault which supports multiple regions instead of just one
1 vote -
Is there a way to programatically create a key vault?
I need to be able to programmatically create a key vault in code. c#. But I don't see any documentation that will allow me to do that except for az.
1 vote -
On Prem AKV
Even with premium, AKV is placed in the Microsoft Datacenters. That is the main reason customers don't want to have both data and keys on the same cloud or with the provider, which is Microsoft.
This is a much bigger problem in the EU.Why can't Microsoft create AKV as a device which customers can buy and put in their own data center? Add it as a registered device in Azure subscription, and then it provides the same interface and API.
2 votes -
Configure key vault managed storage accounts via ARM template
This link describes configuring Key Vault managed storage accounts with PowerShell.
https://docs.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys-powershellIf we could do the same in an ARM template, it would reduce deployment complexity and allow us to leverage the functionality in air-gapped environments.
16 votes -
Offer Logic App as a choice in the Event Endpoint dropdown
When you are creating a new Event Subscription you should be able to choose Logic App as a possible option for the Event Handler / Endpoint Type.
3 votes -
Enable compound identity access using az cli
Per https://github.com/MicrosoftDocs/azure-docs/issues/49362 - currently az cli does not allow setting compond identity access to a keyvault.
3 votes -
Allow "Microsoft.KeyVault/vaults/accessPolicies/write" permission to work without having to also assign "Microsoft.KeyVault/vaults/write"
At present "Microsoft.KeyVault/vaults/accessPolicies/write" is insufficient to block or enable user for modifying the access policy of the key vault.
To block or enable access policy you have to add "Microsoft.KeyVault/vaults/write" as well. This means that we cannot properly apply least privilege to users who we just want to block or allow to modify access policies only.
3 votes -
API for create new version of key instead of using the same create key command to create key
The command to create a new version of key is the same command as create key, It has been tested that the same key name but entered with different cases e.g. apple, APPLE, APPle does create a new version using the new key command.
Can the command for new key and new version be separated for API calling? The new key command should checked for existing key before creation and create a new version is for creating of new version of the key.
1 vote -
Missing "import" key operation
Hello everyone,
I trying to use BYOK for HSM, following the steps on the article: https://docs.microsoft.com/en-us/azure/key-vault/hsm-protected-keys-vendor-agnostic-byok
But I can't find the "import" key operation as mentioned, even using powershell.
any help?
1 vote -
BYOK: Enable HSM and Key Vault traceability
When using the BYOK procedure, after uploading your HSM-generated key to the Key Vault there is zero traceability to confirm that what was uploaded in the cloud is actually what you have originally generated with your nCipher HSM.
The solution is very simple - nCipher HSMs already generate hashes for the generated keys in the security world metadata, AKV should store / display the hash after successful upload so you can verify your keys at any time.Otherwise the following attack scenario is possible (if unlikely):
Prerequisites:
* Knowledge of the attack target's subscription ID (not particularly confidential information at…1 vote -
Key Vault replication & backup/restore secret update
TLDR: I want the possibility to overwrite already existing secrets with the Restore-AzKeyVaultSecret/Key/Certificate to allow for replication in the customers control.
According to the Key Vault documentation Azure Key Vault provides a 99.9% availability percentage and a replication to the pair region takes place to ensure customers can continue using their Key Vaults after a failover in read-only.
However this is a situation a customer does not and can not control. This means that a customer has to wait until Microsoft declares a disaster and fails over the vaults to the pair region. I would like it if we would…
8 votes -
Allow Azure services and resources to access this key vault
It should be possible to select "Allow Azure services and resources to access this key vault" in Networking.
As of today, you can only select:
Option 1) ”Allow trusted Microsoft services to bypass this firewall”
Option 2) "IPv4 address"
Option 3) "Virtual networks"A scenario is, you have a “Azure WebApp”, and Identity is set to off.
Then the WebApp is not a “trusted Microsoft services”, therefore option 1 is not useable.Option 2, the IP address solution, is not useable when you have many WebApps, and many key vaults, in our case we should then manually handle over 1000…
3 votes -
Microsoft Security World Information for Key Vault
I would like to see the security worldpackage information for the Key Vault in the Kyeey Vault information so that it is easier to deduce the package to us. This must be made available in AzPs, CLI, SDK and via the REST APIs
Get-AzureRmKeyVault -VaultName Bxxxxxxxp
VaultUri : https://bxxxxxxxp.vault.azure.net/
TenantId : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
TenantName : 0b98xxxx-xxxx-xxxx-xxxx-xxxxxxxxf102
Sku : Premium
EnabledForDeployment : False
EnabledForTemplateDeployment : False
EnabledForDiskEncryption : False
EnableSoftDelete :
OriginalVault : Microsoft.Azure.Management.KeyVault.Models.Vault
ResourceId : /subscriptions/2ed3xxxx-xxxx-xxxx-xxxx-xxxxxxxxf1f7/resourceGroups/Bxxxxxxxp/providers/Microsoft.KeyVault/vaults/Bxxxxxxxp
VaultName : Bxxxxxxxp
ResourceGroupName : Bxxxxxxxp
Location : westeurope
Tags : {}
TagsTable :
SecurityWorldRegion : Europe | France | Germany etc.> Name of…
1 vote
- Don't see your idea?