Table of Contents
What are the primary objects managed by Azure Key Vault secrets keys and certificates?
Discover what objects Azure Key Vault is designed to store, such as secrets, keys, and certificates. Learn why larger resources like encrypted virtual machines are managed elsewhere in Azure, even when their encryption keys are stored in the vault.
Question
Which of the following is NOT a type of object that can be stored in Azure Key Vault?
A. API keys
B. Digital certificates
C. Passwords
D. Encrypted virtual machines
Answer
D. Encrypted virtual machines
Explanation
Azure Key Vault does not store encrypted virtual machines. It can store encryption keys used for encrypting VMs, but the VMs themselves are stored in Azure Storage. For more information, please refer to the “Azure Key Vault – Overview” lecture.
Azure Key Vault is a secure cloud service for managing and safeguarding secrets, cryptographic keys, and certificates. It serves as a centralized, secure repository but is specifically designed for small, sensitive data objects, not large compute resources or their data files.
Key Vault manages three primary types of objects:
- Cryptographic Keys: Key Vault can store and manage cryptographic keys used for encryption, signing, and other operations. These keys can be protected in software or within FIPS 140-2 Level 2 validated Hardware Security Modules (HSMs). Services like Azure Disk Encryption use keys stored in Key Vault to encrypt and decrypt the disks of virtual machines, but the keys are stored separately from the disks themselves.
- Secrets: This is a generic category for any small piece of sensitive information (up to 25kB in size) that you want to secure. This includes items like API keys, passwords, database connection strings, and other credentials. Options A and C fall into this category.
- Certificates: Key Vault provides comprehensive management for TLS/SSL certificates. It can handle the entire lifecycle of certificates, including enrollment with public Certificate Authorities, automatic renewal, and deployment to Azure resources. This makes option B a valid object type.
Analysis of Incorrect Options
The fundamental distinction is that Key Vault stores the keys to lock a safe, but it does not store the safe itself.
A. API keys: These are a common type of credential stored as secrets in Azure Key Vault.
B. Digital certificates: These are a primary object type that Key Vault is designed to manage.
C. Passwords: Like API keys, passwords are a typical use case for secrets stored in Key Vault.
D. Encrypted virtual machines: A virtual machine is a complex compute resource consisting of configuration files and virtual hard disks (VHDs). These VHDs are stored in Azure Storage. While the encryption keys used to encrypt the VM’s disks are stored and managed in Key Vault, the encrypted VM itself resides in Azure’s compute and storage infrastructure, not within the key vault.
Microsoft Security Solutions Capabilities certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Security Solutions Capabilities exam and earn Microsoft Security Solutions Capabilities certificate.