Q. In Azure Key Vault can I read keys and secrets?
A. There are numerous types of data that can be stored in Azure Key Vault and the ability to use them differs:
- Secrets - These are pieces of data, for example it could be a connection string, which are stored in Azure Key Vault and also can be read from Azure Key Vault. This is useful for applications so they don't have to store secrets in the application itself. This means these secrets and be fetched from the Key Vault
- Keys - These are keys (such as RSA asymmetric keys) that once loaded in the HSM cannot be exported. They must be used within the service itself. For example a request can be made to the service to perform some cryptographic function using the key in the HSM and the resultant value is returned
- Certificates - These are keys packaged in a certificate format and key vault can manage the lifecycle of the certificate. The private key in the certificate is set as exportable or non-exportable at the time of Azure Key Vault certificate creation