Microsoft Azure Key Vault is a cloud-hosted management service that allows users to encrypt keys and small secrets by using keys that are protected by hardware security modules (HSMs). Small secrets are data less than 10 KB like passwords and .PFX files. An HSM is a secure, tamper-resistant piece of hardware that stores cryptographic keys. Keys can also be imported or generated in HSMs that have been certified to FIPS 140-2 level 2 standards.
Neither applications nor Microsoft have direct access to keys, and users grant permissions for their own and third party applications to use the keys as needed. Applications written with Azure Storage software developer kit (SDK) can encrypt data automatically with a master key in the key vault. The Azure Storage SDK allows developers to build Azure applications that take advantage of scalable cloud computing resources. Users can also deploy certificates to Azure VMs and manage the certificates separately from the VM image.
Azure Key Vault first became available as a public preview in January 2015 and became generally available in June 2015. It is available in Standard and Premium service tiers. There is no set up fee and users are billed for operations and keys.
Secrets, software-protected keys and HSM-protected keys are currently billed at a flat rate of $0.03 per 10,000 operations. A successfully authenticated RESTful API call counts as one operation. Key operations include create, import, get, encrypt and decrypt. Secret operations include create, update, list and get. Each key generated or imported in an Azure Key Vault costs $1 per month if it is used at least once in the last 30 days. Pricing is subject to change.