Key Vault
Safeguard and maintain control of keys and other secrets
Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services. Azure Key Vault provides two types of containers:
- Vaults for storing and managing cryptographic keys, secrets, certificates, and storage account keys.
- Managed HSM pool for storing and managing HSM-backed cryptographic keys
Pricing Details
Vaults
Vaults are offered in two service tiers—standard and premium.
| Standard | Premium | |
|---|---|---|
| Secrets operations | ¥0.305/10,000 transactions | ¥0.305/10,000 transactions |
| Certificate operations 1 |
Renewals - ¥30.528 per renewal request All other operations - ¥0.305/10,000 transactions |
Renewals - ¥30.528 per renewal request All other operations - ¥0.305/10,000 transactions |
Managed HSM Pools
| Hourly usage fee per HSM pool | |
|---|---|
| Standard B1 | ¥19.2 |
Software-protected keys
| Standard | Premium | |
|---|---|---|
| RSA 2,048 keys | ¥0.3/10,000 transactions | ¥0.3/10,000 transactions |
|
Advanced key types - RSA 3,072-bit、RSA 4,096-bit, and Elliptic-Curve Cryptography (ECC) keys |
¥1.5/10,000 transactions | ¥1.5/10,000 transactions |
HSM-protected keys
| Standard | Premium | |
|---|---|---|
| RSA 2,048 keys | N/A | ¥10.176 per key per month 1 + ¥0.3/10,000 transactions |
|
Advanced key types -
1
RSA 3,072-bit、RSA 4,096-bit, and Elliptic-Curve Cryptography (ECC) keys |
N/A | ¥50.88 per key per month + ¥1.5/10,000 transactions |
Key Rotation
| Standard | Premium | |
|---|---|---|
| Automated key rotation | ¥10.176 per scheduled rotation | ¥10.176 per scheduled rotation |
FAQ
Expand all-
What can I store in the key vault?
You can also store the following types of keys and secrets:
- Keys can be imported or generated. When you ask the Key Vault service to decrypt or sign with a key, the operation is performed in the key vault.
- You can also use keys for encryption. In this case, cryptographic operations are performed in software. These computations are performed in the Azure compute roles.
- Secrets are data (under 25 KB) such as passwords or PFX files that your application can store and retrieve in plaintext. The Key Vault service persists secrets encrypted, and provides an access control layer over them.
In addition to keys and secrets, you can also store and manage SSL/TLS certificates that you've purchased from public CAs, and automatically enroll or renew them via Key Vault if the public CA is currently supported by Key Vault.
-
How is an operation defined?
Every successfully authenticated REST API call counts as one operation.
Examples of key operations: create, import, get, list, backup, restore, delete, update, sign, verify, wrap, unwrap, encrypt and decrypt. Note that the price charged for an operation may vary based on the type of key (for example, operations performed on a 2,048-bit RSA key vs a 4,096-bit RSA key are billed against different meters with different prices, as described in the pricing section above).
Examples of operations for secrets—create/update, get, list.
Examples of operations for certificates—create, update policy, contacts, import, renewal or update of certificates. Note that a certificate renewal operation has a separate cost from all other operations on certificates.
-
How am I billed for operations?
Operations against all keys (software-protected keys and HSM-protected keys), secrets, and certificates are billed at a flat rate of ¥30.528 per 10,000 operations, except certificate renewal requests, which are billed at a rate of ¥30.528 per renewal. Examples—A) You perform 2,000 operations with HSM-protected keys, 1,000 operations with software-protected keys, and 500 operations with secrets during a billing cycle. You will be billed for 3,500 operations during that billing cycle. B) In a given billing cycle, you perform 500 operations on 20 certificates, and 2 of these certificates are also renewed by Key Vault. You will be billed for 500 operations and 2 certificate renewal requests.
-
How am I billed for HSM keys?
Each key that you generate or import in an Azure Key Vault HSM will be charged as a separate key. You will get charged for a key only if it was used at least once in the previous 30 days (based on the key’s creation anniversary date). Note that if you store multiple (historical) versions of a given key, then each version is treated as a separate key for billing purposes.
Examples:
- You add three HSM protected keys in your key vault. Over the next 30 days, you use the first key 10,000 times, the second key once, and you do not use the third key at all. For this 30-day period, you will get billed for 2 HSM key units. For e.g. if these are 2,048-bit RSA keys, you will get billed 2 x ¥10.176/key/month = ¥20.352, and if these are 3,072-bit RSA keys, you will get billed 2 x ¥50.88/key/month = ¥101.76.
- You have 1 HSM protected key in your key vault. You have 5 historical versions of that key because you have changed the value of the key four times. In the last 30 days, you used 2 of those versions, and did not touch the other three. For a 2,048-bit RSA key, you will get billed ¥20.352 in this example, while for advanced key type, you will get billed ¥101.76 in this example.
- Note that any operations performed on HSM-protected keys will be charged separately and will apply in addition to the HSM key charges.
-
Is there a setup fee for the Azure Key Vault?
No, there is no any setup fee for the Azure Key Vault.
-
How much would I be charged if my HSM-protected key is only enabled for part of the month?
HSM key charges are not pro-rated based on length of time it is enabled. We will charge for an HSM key only if it is used at least once in the previous 30 days, based on the key’s creation anniversary date.
-
Can I use Key Vault with third-party apps?
Yes, you can grant use of keys stored in Key Vault to any app, hosted anywhere (Microsoft Azure, third-party cloud, on-premises).
-
If my application uses a key created by another Azure subscriber, will I be charged for using that key?
No, only the key owner will be charged.
Support & SLA
If you have any questions or need help, please visit Azure Support and select self-help service or any other method to contact us for support.
We guarantee that in at least 99.9% of cases, key vault transactions can be processed within 5 seconds. To learn more about the details of our Service Level Agreement, please visit the Service Level Agreements page.