What is difference between Keys and Secrets in Azure Key Vault?

A very simple answer:

Key

A Cryptographic key represented as JWK (JSON Web Key)

Example: store A .pfx certificate file that contains a pair of public & private keys

Secret

KV accepts any value and stores it as a binary (there is a max size limitation)

Example: A password or API key


Further Reading

  • About Keys and Secrets

Key Vault Keys:

Keys in Azure Key Vault are 'Cryptographic keys' used to encrypt information without releasing the private key to the consumer(users\Service). It acts like a black box to encrypt and decrypt content using the RSA algotithm.

The RSA algorithm, involves a public key and private key. The public key can be known to everyone; it is used to encrypt messages. Messages encrypted using the public key can only be decrypted with the private key.

Scenario:

Assume you have to store the customer CreditCard, the secure way to keep it in your DB is to store it encrypted, during the software design and business requirements it is perfect clear that you should encrypt it, what most people don't realize or don't bother is how you protect your encryption keys, most of the time, stored as part of your software configuration, if the attacker or employee has access to the key, the information is not secure anymore.

Using key vault keys, you could send the CreditCard information to KeyVault and it will encrypt the information and return to the caller the enccrypted value. On high performance scenarios, you could get the public key from KeyVault, use it for encrypting the information from Application side and store in DB already encrypted without sending the data to KV. The only way to get the real data back would be sending the encrypted data to KV where it will return the decrypted CreditCard.

Key Vault Secrets

Secrets in Azure Key Vault are octet sequences with a maximum size of 25kb each. It is described as octet because it does not care about the data type being stored, the only limitation is the size of 25kb. Once you send the data, it is encrypted and stored, you can retrieve it at any time if you have the permissions to do so. It is used to store information like application settings, tokens and if you will database connection strings, passwords and so on.

The good side of Key Vault Secrets is that you can use pre-defined rotation values defining the Expiration/NotBefore values. So you could register temporary values that will be rotated at specified periods, while the reader has access to the Key Vault with Get permission, they will be able to read the current ones only, while the future ones are already defined and not visible to the Get operation.