Key Vault Pricing
Safeguard cryptographic keys and other secrets used by cloud apps and services
Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services.
- Encrypt keys and small secrets like passwords using keys in Hardware Security Modules (HSMs).
- Import or generate your keys in HSMs certified to FIPS 140-2 level 2 standards for added assurance, so that your keys stay within the HSM boundary.
- Simplify and automate tasks for SSL/TLS certificates, enrol and automatically renew certificates from supported public certification authorities (CA).
- Provision and deploy new Vaults and Keys in minutes without waiting for procurement, hardware or IT and centrally manage keys, secrets and policies.
- Maintain control over encrypted data – grant and revoke key use by your own and third-party applications as needed.
- Segregate key management duties to enable developers to easily manage keys used for dev/test and migrate seamlessly to production keys managed by security operations.
- Rapidly scale to meet the cryptographic needs of your cloud applications and match peak demand.
- Achieve global redundancy by provisioning Vaults in Azure data centres worldwide and keep a copy in your own Hardware Security Modules (HSMs) for added durability.
The India Regions are available to customers with a business presence in India.
The India Regions are available to customers with a business presence in India. The West India data centre is currently only available to select volume licensing customers and partners. For more information, contact your Microsoft India partner manager or account manager.
Azure Government is available to US government entities to purchase physically and network isolated instances of Azure Government from a Licensed Azure Government Service Provider or Partner with no up-front financial commitment or fee. Or, you can sign up for a free Azure Government Trial.
Important: The price in R$ is merely a reference; this is an international transaction and the final price is subject to exchange rates and the inclusion of IOF taxes and an eNF will not be issued.
Azure Germany is available to customers and partners in the European Union (EU) and European Free Trade Association (EFTA) and provides data residency in Germany with additional levels of control and data protection with a modest price uplift over global cloud offerings (% varies per service).
Azure Key Vault is offered in two service tiers: Standard and Premium.
|Secrets and Software-protected keys||$-/10,000 operations||$-/10,000 operations|
|Certificate Operations 1|| Renewals: $- per renewal request |
All other operations: $-/10,000 operations
| Renewals: $- per renewal request |
All other operations: $-/10,000 operations
|HSM Protected keys||N/A|| $- per key per month |
(every version of a key is counted separately)
+ $-/10,000 operations
Support and SLA
- Billing and subscription management support is provided at no cost.
- Technical support is available through various Azure support plans, starting at $29.0/month.
- Service-level agreement (SLA): We guarantee that at least 99.9% of time, we will successfully process requests for Key Vault transactions within 5 seconds. To learn more about our SLA, please visit the SLA page.
- What can I store in a Key Vault?
You can store the following types of keys and secrets in Key Vault.
- Keys can be imported or generated in HSMs and are always locked to the boundary of the HSM. When you ask the Key Vault service to decrypt or sign with a key, the operation is performed inside an HSM
- You can also encrypt using keys in HSMs. In this case, cryptographic operations are performed in software, as opposed to being inside an HSM. These computations are performed in Azure compute roles.
- Secrets are data (under 10 KB) such as passwords or PFX files that your application can store and retrieve in plaintext. The Key Vault service persists secrets encrypted using an HSM-backed key and provides an access control layer over them
In addition to keys and secrets, you can also store and manage SSL/TLS certificates that you have purchased from public CAs, and automatically enrol/renew them via Key Vault if the public CA is currently supported by Key Vault.
- How are operations defined?
Every successfully authenticated REST API call counts as one operation. Examples of operations for keys: create, import, get, list, back up, restore, delete, update, sign, verify, wrap, unwrap, encrypt and decrypt. Examples of operations for secrets: create/update, get, list.
Examples of operations for secrets: create/update, get, list.
Examples of operations for certificates: create and update policies and contacts; import, renew or update certificates. Note that a certificate renewal operation has a separate cost from all other operations on certificates.
- How am I billed for operations?
Operations against all keys (software-protected keys and HSM-protected keys), secrets and certificates are billed at a flat rate of $- per 10,000 operations, except certificate renewal requests, which are billed at a rate of $- per renewal. Examples: A) You perform 2,000 operations with HSM-protected keys, 1,000 operations with software-protected keys and 500 operations with secrets during a billing cycle. You will be billed for 3,500 operations during that billing cycle. B) In a given billing cycle, you perform 500 operations on 20 certificates, and 2 of these certificates are also renewed by Key Vault. You will be billed for 500 operations and 2 certificate renewal requests.
- How am I billed for HSM Keys?
Each key that you generate or import in an Azure Key Vault HSM costs $-/month, if it has been used at least once in the last 30 days. The Key Vault service allows you to keep multiple (historical) versions of a key. Each version is independently billed. Examples:
- You have three keys in your key vault. You use the first key 10,000 times over a 30-day period. You use the second key 2 times over that same 30-day period. You do not touch the third key during that 30-day period. You get billed $- in that billing cycle (in addition to the operations charges)
- You have one key in your key vault. You have five historical versions of that key because you have changed the value of the key four times. In the last 30 days, you used two of those versions and did not touch the other three. You get billed $- in that billing cycle.
- Is there any set-up fee for Azure Key Vault?
No, there is no set-up fee for Azure Key Vault.
- How much would I be charged if my HSM-protected key is only enabled for part of the month?
Each version of an HSM-protected key is charged at $- per month. There is no pro-rating. Only keys that are used in a given billing cycle are charged, not every key.
- Can I use Key Vault with third-party apps?
Yes, you can grant use of keys stored in Key Vault to any app, hosted anywhere (Microsoft Azure, third-party cloud, on-premises).
- If my application uses keys created by another Azure subscriber, do I get billed for use of that key?
No. Only the key owner gets billed.