Storing secrets and keys securely with Azure Key Vault
API keys, passwords, and certificates don't belong in config files or source code. How Azure Key Vault centralises sensitive data securely — and how we wire it cleanly into .NET applications.
In an increasingly complex IT landscape — where applications scale constantly and data volumes explode — the security of secrets (API keys, passwords, certificates) is central. Add a growing dependency on external developers, DevOps engineers, and testers: if your source code is full of security-relevant secrets, granting access to external contributors becomes essentially impossible.
Azure Key Vault solves this. In this article we show how to store secrets and keys safely — and which best practices we follow in our projects.
What is Azure Key Vault?
Azure Key Vault is a cloud service from Microsoft designed for managing keys, secrets, and certificates. With it you can:
- Store secrets like API keys, database credentials, and passwords
- Manage keys for encryption and decryption
- Secure certificates and auto-renew them
Azure Key Vault leverages Azure’s security standards and protocols to keep sensitive data protected from unauthorised access.
Why Azure Key Vault?
Managing secrets is a challenge many organisations underestimate. Traditionally they live in config files, environment variables, or even source code — a significant security risk. Azure Key Vault gives you:
- Centralisation. All secrets in one central, secure place.
- Access control. Integration with Entra ID (formerly Azure AD) lets you control and monitor access precisely.
- Audit and monitoring. Every access is logged — you always see who accessed what data, when.
Setting up Azure Key Vault
Setup is straightforward via the Azure Portal, Azure CLI, or PowerShell. A short example with the CLI:
# Sign in to Azure
az login
# Create a resource group
az group create --name myResourceGroup --location westeurope
# Create the Key Vault
az keyvault create --name myKeyVault --resource-group myResourceGroup --location westeuropeOnce the Vault exists, you can add secrets:
# Add a secret
az keyvault secret set --vault-name myKeyVault --name mySecret --value "SuperSecurePassword123"Accessing secrets from .NET
Applications use the Azure Key Vault API to read secrets. A C# example:
var kvUri = "https://myKeyVault.vault.azure.net";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
KeyVaultSecret secret = client.GetSecret("mySecret");
Console.WriteLine($"Secret: {secret.Value}");Integration with IConfiguration and the Options Pattern
Reading secrets manually is cumbersome and impractical for production apps with dozens
or hundreds of values. A cleaner approach combines Key Vault with IConfiguration and
the Options Pattern.
In modern .NET apps you can seamlessly integrate Azure Key Vault into IConfiguration.
Values from the Vault automatically replace corresponding configuration entries. You
need the Microsoft.Extensions.Configuration.AzureKeyVault package.
var builder = WebApplication.CreateBuilder(args);
var keyVaultEndpoint = new Uri("https://myKeyVault.vault.azure.net");
builder.Configuration.AddAzureKeyVault(keyVaultEndpoint, new DefaultAzureCredential());
var app = builder.Build();Then you bind the values into strongly typed configuration objects using the Options Pattern:
public class DummyOptions
{
public const string SectionName = "Dummy";
public string MySecret { get; set; } = "";
}
services.Configure<DummyOptions>(Configuration.GetSection(DummyOptions.SectionName));
public class MyService
{
private readonly DummyOptions _options;
public MyService(IOptions<DummyOptions> options)
{
_options = options.Value;
}
public void DoSomething()
{
Console.WriteLine(_options.MySecret);
}
}This setup ensures your application always pulls current, secure values directly from the Vault — cleanly separated from code and the build pipeline.
Best practices for production
- Minimal access. Grant only the access actually needed. Use role-based access controls (RBAC).
- Regular rotation. Rotate secrets and keys on a schedule — ideally automated.
- Automation. Use Azure automation and infrastructure as code to standardise the management of secrets.
- Monitoring and alerts. Enable monitoring and alerts to spot unusual access early.
Conclusion
Azure Key Vault is a secure, scalable solution for managing secrets and keys in the cloud. Centralised management, strict access control, and comprehensive audit make it indispensable for DevOps teams that take security and compliance seriously.
If you need support adopting Azure Key Vault or shaping a broader cloud-security strategy, get in touch. We bring deep experience in cloud engineering and software architecture.
Keep reading
Related articles
-
October 19, 2024
Modular monolith vs. microservices: which architecture fits your project?
Microservices sound modern — but they're not the right call for every project. A sober comparison of both architectures, with clear recommendations for when to use which.
Read article -
July 31, 2024
Requirements vs. user stories: where the real difference lies
Requirements and user stories are often used interchangeably in projects — and that costs clarity. What each actually delivers, where they complement each other, and when which form gets you to the goal.
Read article
