Azure Key Vault Keys

Keys in Azure Key Vault (KV):

are protected by KV Software or stored in HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing (BYOKBring Your Own Key are always stored in HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing).
are versioned objects.
may include dash "-" character in a key name. Other special characters are forbidden.

KV Key Types

The following table summarizes supported KV key types and BYOKBring Your Own Key / non-BYOKBring Your Own Key key creation options.

Key type	Size/Curve	non-BYOK	BYOK
RSA	2048, 3072, 4096	√	√
EC	P256, P384, P521, SECP256K1	√	√

Reference:

Azure Key Types

KV Crypto Operations and Algorithms

The following table summarizes UID-based crypto operations supported by Azure.

Key type	Decrypt/Encrypt	Sign/Verify	Wrap/Unwrap
RSA	√	√	√
ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields		√	√

Note: When generating or importing the external keystore key via CORE, it is sufficient to specify Decrypt to enable both Decrypt and Encrypt. The same applies to Sign and to Unwrap. See Azure KV Key Operations.

RSA (RSA algorithms) for Keys 2K, 3K, 4K

Decrypt and Unwrap: PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.-V1_5; OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with SHA1; OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with SHA256

Sign: PSSprobabilistic signature scheme. Abbreviation of RSASSA-PSS with SHA256, SHA384, and SHA512; PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.-V1_5 SHA256, SHA384, and SHA512
ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields (EC algorithms)

Sign: P256 with sha256; P384 with sha384; P521 with sha512; SECP256k1 with sha256

KV Key Management Operations

The following table compares CORE and KV key management options and references Key Vault documentation for further details.

Operation	CORE	KV	Comment / Differences	Reference
Generate	√	√	Creating a key with the existing name in KV generates a new version of a key.	Create Key
Import	√	√	Importing a key with the existing name in KV generates a new version of a key. BYOKBring Your Own Key keys are imported to HSMHardware Security Module - a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing associated with KV. Requires "Key Vault Premium SKU".	Import Key BYOK Import
Key policy	≈	≈	CORE provides a fine-grain policy down to the level of specifying permitted and restricted operations and algorithmic parameters (size, hash, padding, mode). The policy is defined for each partition, and it applies to all keys in the partition. KV crypto-operation policy is per key.
Delete / Destroy	√	√	CORE provides three flavors of delete: Revoke, Discard and Delete. All actions are non-reversible. Upon its creation, a key is marked as 'purgeable'. It allows erasing the key by a privileged user or by the system at the end of its retention period. KV provides Delete and Purge options: The delete decision may be reversed. The purge is final. When applied to a rotated key, it impacts all keys in the chain.	Delete Key Deletion Recovery Level Purge Key
Cancellation of Delete		√	Once a deleted key is restored in KV, you can link to it from the CORE. A BYOKBring Your Own Key becomes a linked key.	Soft Delete
Activate / Revoke	√	√	KV allows specifying 'not before' and 'expiry" dates	Update Key
Enable	√	√
Disable	√	√
Rekey / Rotate	√	≈	A key must be rotated only by KV. KV maintains all rotated keys as versions of the original key. Linked keys in CORE allow tracking the linked list of the rekeyed keys.	Key Rotation
Get Info	√	√	KV key metadata includes: time parameters: created, updated, not before, not after recovery parameters: soft-delete retention days, privileges required to recover a key.	Get Key Key attributes
Get Public	√	√	KV requires specifying the key version.	Get Key
Get Private	√		Exporting of private or secret material from Azure is not supported.
Backup / Restore	≈	√	KV allows backup of individual keys for transfer to another key vault. KV also provides 'full' backup to Azure storage containers. CORE provides full backup and secure transfer of keys to/from the air-gapped vault.	Key Backup Full Backup

Note: the ≈ sign indicates the availability of alternatives.