Azure Key Vault
Centrally manage secrets, keys, and certificates.
Key Concepts
- Secrets — connection strings, passwords, API keys
- Keys — RSA/EC cryptographic keys (hardware or software-backed)
- Certificates — TLS/SSL certificates with auto-renewal
SKUs
| Feature | Standard | Premium |
|---|---|---|
| Software-protected keys | ✅ | ✅ |
| HSM-protected keys | ❌ | ✅ |
| Price | Lower | Higher |
Access Control
- RBAC (recommended) — Azure role assignments at vault/key/secret level
- Access policies (legacy) — vault-level permissions per identity
# Create Key Vault
az keyvault create --name kv-dp300 --resource-group rg-dp300 --location eastus
# Store a secret
az keyvault secret set --vault-name kv-dp300 --name "SqlPassword" --value "<YOUR_PASSWORD>"
# Retrieve a secret
az keyvault secret show --vault-name kv-dp300 --name "SqlPassword" --query value -o tsv
🎯 Exam Focus
Key Vault is critical for DP-300 — it stores TDE customer-managed keys, Always Encrypted column master keys, and connection strings. Know how RBAC (recommended) differs from Access Policies.
What 3 types of objects does Key Vault store?
Click to reveal answer
Secrets, Keys, and Certificates
1 / 3