Share via


Key Vault is now generally available

[For those new to Azure Key Vault, please take a peek at prior blogs to catch up: Azure Key Vault - Making Cloud Safer and What is Azure Key Vault?]

Hi everyone,

We are excited to announce a few important things today!

First, the General Availability (GA) of Azure Key Vault. You can now use the service in your production deployments! This means we're now backed by the standard Azure Service Level Agreement and Azure support plan. Thanks to the many of you who asked (demanded) that we prioritize offering an SLA over adding new features. Done! We'll now continue to enrich it with many new features over the coming months.... Azure portal user interface and logging being the next two.  

Next, the Azure Key Vault is now available in many more places!

  • More Regions. We've more than doubled the regions since preview.
  • More API Platforms. For the .NET folks, we've released a set of NuGet packages incorporating common tasks. For Node.js lovers, we have a new preview SDK.
  • More OSes. You will be able to manage your key vaults from Linux and OS X with tomorrow's release of the Azure CLI. Also, PowerShell cmdlets are now complete (the scripts are gone).

Last, but not least, we're integrated in more popular Azure workloads!

  • Azure Storage client-side encryption
  • Azure VM certificates
  • Azure Disk Encryption Management for Windows and Linux VMs (coming real soon)
  • Brocade Virtual Traffic Manager
  • CloudLink SecureVM (now part of EMC)
  • SQL Server Transparent Database Encryption

As you can see, we've been super busy. Thank you all for your detailed and emphatic feedback -- we really appreciate the partnership we have with you all. If you have more feedback, send email to AzureKeyVault@microsoft.com (pls don't use twitter... we can't say much with 143 chars).  

Below we have Amit from our team describing each of the above in detail.

In closing, we got feedback that you wanted us to author more Getting-Started style blog posts, specifically in the context of your common scenarios. We'll do exactly that and tweet about them when published here. We'll start with these topics:

  • Encrypt the data before you place it in Azure Storage
  • Improve the security of your Azure VM with just-in-time certificate provisioning
  • Simplify certificate management of Azure VMs
  • Enhance the hygiene of secrets used in your line-of-business applications
  • Encrypt both your OS and Data volumes, on both Windows and Linux
  • Protect the SSL keys used in our partner Brocade's Virtual Traffic Manager

and, if you want others, just tweet or email us!

As usual, we value your input so please take a moment to follow us, join our advisory board, send us private feedback,and/or visit our forum .   

Cheers,

Dan on behalf of the Key Vault team.

Hi this is Amit.

I am excited to share with you more details about today's announcements. Let's get started!

Key Vault available in more regions

Key Vault is now available in 7 additional regions (shaded in table below), bringing the total to 13 regions world-wide. Australia is the only one missing but we'll add it in the coming months.

Geography

 

Azure Region

 

USA

East US

North Central US

Central US

East US 2

South Central US

West US

Europe

North Europe

West Europe

Asia Pacific

East Asia

Southeast Asia

Japan

Japan East

Japan West

Brazil

Brazil South

 

Key Vault available in more workloads

In previous posts we shared how you can centrally manage your master encryption keys used for Microsoft SQL Server and for CloudLink SecureVM. Here are those posts:

Since then more workloads have announced integration with Azure Key Vault giving you, the customer, control over your keys:

  • Azure Storage encryption -  An often-requested feature is now in preview! With the latest Azure Storage client library for .Net, applications can configure the library to automatically encrypt data before sending it to the Azure Storage service, and automatically decrypt it when reading back. Applications can configure the library to use a master encryption key stored in a key vault. This feature is called client-side encryption and is currently in preview.

    Check out the announcement from April, technical details, and tutorial.

  • Azure VM certificates - Many VMs need certificates deployed into the VM for a variety of reasons – SSL, authentication, encryption, WinRM. Instead of embedding those certificates into the disk image, it is desirable to deploy them from a central location, just-in-time when the VM starts up. This makes it easier to manage and rotate those certificates, and it also reduces the risk of accidental leakage. This is now possible with VMs deployed through the new Azure Resource Manager. To do this, create a key vault and add your certificates to that key vault. Then configure your VM deployment templates to point to those certificates. When those VMs are deployed, Azure will automatically install those certificates into the specified VMs. This is a great example of use of the secrets feature in Azure Key Vault, where you use Azure Key Vault for secure storage and provisioning rather than for cryptographic operations.

    Here's a deployment template example. And here's an example template for WinRM. An upcoming post on this blog will describe this in detail. 

  • Azure Disk encryption for Windows and Linux VMs: At the Ignite conference in May, Microsoft announced and demonstrated an upcoming capability that will let you encrypt all of your Virtual Machine disks including the boot and data disks, for both Windows and Linux VMs. You manage the master encryption key in your own key vault.

    A release date for this feature has not been announced yet (but it's coming soon!)

  • Brocade recently announced that their Virtual Traffic Manager (aka vTM) permits SSL offload where the SSL key is in your key vault For those not familiar with the product, the Brocade Virtual Traffic Manager is a software-based Layer 7 application delivery controller designed to deliver a faster, high performance secure user experience, with more reliable access to public websites and enterprise applications, while maximizing the efficiency and capacity of web and application servers.

    In coming weeks we'll blog more details.

The above teams started with us early on and helped us shape our SDK. Now, with the very simple Azure Key Vault SDK pattern, others are on-boarding by themselves! An great example is Ascertia, a small 50-person UK company, which was able to offer Key Vault as a key storage/management option in their ADSS (PKI) and SigningHub (document signing/workflow) products, so that their customers can protect their keys with FIPS 140-2 Level 2+ HSMs.

Many other Microsoft services are in the process of offering customer-managed keys via Azure Key Vault. If there is a specific application you cannot wait for, please drop us a note at AzureKeyVault@microsoft.com

Key Vault Library for .Net available as a set of NuGet packages

Azure Key Vault Library for .Net is now available as a set of NuGet packages. This largely replaces the Azure Key Vault sample code that was released earlier and also incorporates some common usage patterns that we left to the application developer earlier. NuGet is the package manager for the Microsoft development platform including .NET. The NuGet client tools provide the ability to produce and consume packages. 

Package Name

Description

Microsoft Azure Key Vault Library

A wrapper for interfacing with Key Vault REST API

Microsoft Azure Key Vault Management Library

A wrapper for managing Key Vault using Azure Resource Manager REST API

Microsoft Azure KeyVault Core

IKey and IKeyResolver interfaces. An abstraction layer that allows developers to implement different key providers. This library is in preview at this time.

Microsoft Azure Key Vault Extensions

Depends on the above two packages. Provides an implementation of IKey and IKeyResolver that uses Azure Key Vault keys and secrets. Also provides cryptographic algorithms including AesCbc, AesKw, AesCbcHmaSha2, Rsa15 and RsaOaep and local RSA and symmetric key implementations. This library is in preview at this time.

The ‘KeyVault.Extensions’ NuGet package is also used by the Azure Storage client-side encryption that was announced as a preview at the Build 2015 conference.

Azure SDK for Node.js includes Key Vault

A preview of Azure SDK for Node.js for Key Vault is now available. See Key Vault and Key Vault Management. Please try it out and send us feedback.

Azure Cross-Platform Command-Line Interface now includes Key Vault commands

Tomorrow's release (0.9.5, releasing on June 25, 2015) of Azure Cross-Platform Command-Line Interface (CLI) includes Key Vault commands. So those of you using Linux or OS X on your primary workstation can manage your key vaults directly from there.

The latest release supports a new sub-command ‘keyvault’ that supports same functionality as Azure PowerShell Key Vault cmdlets. Use the help function to get help and usage for the ‘keyvault’ sub-command. Here’s a quick synopsis of the ‘keyvault’ sub-commands.

  • To create a new key vault:
    azure keyvault create --vault-name 'ContosoKeyVault' --resource-group 'ContosoResourceGroup' --location 'East Asia'

  • To create a new key in this vault:
    azure keyvault key create --vault-name 'ContosoKeyVault' --key-name 'ContosoFirstKey' --destination software

  • To create a secret:
    azure keyvault secret set --vault-name 'ContosoKeyVault' --secret-name 'SQLPassword' --value 'Pa$$w0rd'

  • To list keys:
    azure keyvault key list --vault-name 'ContosoKeyVault'

  • To list secrets:
    azure keyvault secret list --vault-name 'ContosoKeyVault'

Azure PowerShell now includes the full set of Key Vault cmdlets

The latest release of Azure PowerShell includes cmdlets to create and manage key vaults. During preview that functionality was available via scripts (called 'Key Vault Manager') that needed to be downloaded separately. You no longer need to download those scripts; in fact that download site is now retired and will be removed shortly.

The Key Vault cmdlets also support new features we talked about in our last blog (listing keys and secret versions, tags etc.).

Azure Key Vault has a new REST API version

With the service now generally available, Azure Key Vault has a new REST API version 2015-06-01 without the preview label. 

If you are a developer who built your application with one of the preview versions of the Azure Key Vault REST API, please upgrade your application to the latest version.

Preview versions of REST API (2014-12-08-preview and 2015-02-01-preview) will be supported through September 30, 2015.

Frequently asked questions and answers

Q: What is the latest version of REST API now?
A: Latest REST API version is 2015-06-01.

Q: What are the new features/changes in the REST API version 2015-06-01?
A: There are no changes between version 2015-02-01-preview and 2015-06-01. The version was changed and the -preview suffix was dropped to signal production version.

Q: How long will the preview versions of REST API be supported?
A: Preview versions of REST API (2014-12-08-preview and 2015-02-01-preview) will be supported through September 30, 2015. Please migrate your existing applications to use the latest REST API version 2015-06-01.

Q: What happens to all the key vaults I've created during preview?
A: All the vaults created during preview will continue to work. It is recommended that you switch to using the latest REST API version 2015-06-01 as soon as possible.

Thank you,

Amit on behalf of the Key Vault team.


Comments are disabled, head over to the Azure Key Vault forum to discuss about this blog.