Key Vault pricing

Safeguard cryptographic keys and other secrets used by cloud apps and services

Azure Key Vault enables Azure subscribers to safeguard and control cryptographic keys and other secrets used by cloud apps and services.

  • Encrypt keys and small secrets like passwords using keys in Hardware Security Modules (HSMs)
  • Import or generate your keys in HSMs certified to FIPS 140-2 level 2 (vaults) and FIPS 140-2 level 3 (managed HSM pools) standards for added assurance, so that your keys stay within the HSM boundary.
  • Simplify and automate tasks for SSL/TLS certificates, enroll and automatically renew certificates from supported public certification authorities(CA).
  • Manage and automatically rotate Azure Storage account keys and use shared access signatures to avoid direct contact with the keys.
  • Provision and deploy new vaults and keys in minutes without waiting for procurement, hardware or IT and centrally manage keys, secrets and policies.
  • Maintain control over encrypted data—grant and revoke key use by both your own ad third-party applications as needed.
  • Segregate key management duties to enable developers to easily manage keys used for dev/test and migrate seamlessly to production keys managed by security operations.
  • Rapidly scale to meet the cryptographic needs of your cloud applications and match peak demand.
  • Achieve global redundancy by provisioning vaults in Azure datacenters worldwide and keep a copy in your own HSM for added durability.

Azure Key Vault provides two types of containers,

  • Vaults for storing and managing cryptographic keys, secrets, certificates and storage account keys.
  • Managed HSM pool for storing and managing HSM-backed cryptographic keys


Vaults are offered in two service tiers—standard and premium.

Standard Premium
Secrets operations $-/10,000 transactions $-/10,000 transactions
Certificate operations2 Renewals—$- per renewal request.
All other operations—$-/10,000 transactions
Renewals—$- per renewal request.
All other operations—$-/10,000 transactions
Managed Azure Storage account key rotation (in preview)

Free during preview.
General availability price — $- per renewal3

Free during preview.
General availability price — $- per renewal3

Software-protected keys
RSA 2048-bit keys $-/10,000 transactions $-/10,000 transactions

Advanced key types

RSA 3072-bit, RSA 4096-bit and Elliptic-Curve Cryptography (ECC) keys

$-/10,000 transactions

$-/10,000 transactions

HSM-protected keys
RSA 2048-bit keys N/A $- per key per month1 + $-/10,000 transactions

Advanced key types1

RSA 3072-bit, RSA 4096-bit and Elliptic-Curve Cryptography (ECC) keys

First 250 Keys $- per key per month
From 251 – 1500 keys $- per key per month
From 1501 – 4000 keys $- per key per month
4001+ keys $- per key per month
+ $-/10,000 transactions

1Only actively used HSM protected keys (used in prior 30-day period) are charged and each version of an HSM protected key is counted as a separate key. See FAQs below for more details. Billing will commence from 1st November 2018.

2Key Vault does not issue certificates or resell certificates from CAs. Key Vault provides the ability to simplify and automate certain tasks on certificates that you purchase from Public CAs, such as enroll and renew.

3Storage account keys are stored as ‘secrets’ in Key Vault and therefore operations charges (see ‘Secrets Operations’ row above) will apply on any operation performed on these keys, including a renewal. See FAQs below for more details on how operations are defined.

Managed HSM Pools

Hourly usage fee per HSM pool
Standard B1 $-

Support & SLA

  • Billing and subscription management support is provided at no cost.
  • Technical support is available through various Azure support plans, starting at $29/month.
  • Service Level Agreement (SLA)—We guarantee that at least 99.9% of the time we will successfully process requests for Key Vault transactions within five seconds. Learn more about our SLA.


  • You can store the following types of keys and secrets in Key Vault:

    • Keys can be imported or generated in HSMs and are always locked to the boundary of the HSM. When you ask the Key Vault service to decrypt or sign with a key, the operation is performed inside an HSM.
    • You can also encrypt using keys in HSMs. In this case, cryptographic operations are performed in software, as opposed to being inside of an HSM. These computations are performed in Azure compute roles.
    • Secrets are data (under 10_KB) such as passwords or .PFX files that your application can store and retrieve in plaintext. The Key Vault service persists secrets encrypted using an HSM-backed key and provides an access control layer over them.

    In addition to keys and secrets, you can also store and manage SSL/TLS certificates that you have purchased from public CAs and automatically enroll or renew them via Key Vault if the public CA is currently supported by Key Vault.

  • Every successfully authenticated REST API call counts as one operation.

    Examples of operations for keys—create, import, get, list, backup, restore, delete, update, sign, verify, wrap, unwrap, encrypt and decrypt. Note that the price charged for an operation may vary based on the type of key (for example, operations performed on a 2048-bit RSA key vs a 4096-bit RSA key are billed against different meters with different prices, as described in the pricing section above).

    Examples of operations for secrets—create/update, get, list.

    Examples of operations for certificates—create, update policy, contacts, import, renewal or update of certificates. Note that a certificate renewal operation has a separate cost from all other operations on certificates.

  • Operations against all keys (software-protected keys and HSM-protected keys), secrets and certificates are billed at a flat rate of $- per 10,000 operations, except certificate renewal requests, which are billed at a rate of $- per renewal. Examples—A) You perform 2,000 operations with HSM-protected keys, 1,000 operations with software-protected keys and 500 operations with secrets during a billing cycle. You will be billed for 3,500 operations during that billing cycle. B) In a given billing cycle, you perform 500 operations on 20 certificates and 2 of these certificates are also renewed by Key Vault. You will be billed for 500 operations and 2 certificate renewal requests.

  • Each key which you generate or import in an Azure Key Vault HSM will be charged as a separate key. You will get charged for a key only if it was used at least once in the previous 30 days (based on the key’s creation anniversary date). Note that if you store multiple (historical) versions of a given key, then each version is treated as a separate key for billing purposes.


    • You add three HSM protected keys in your key vault. Over the next 30 days, you use the first key 10,000 times, the second key once and you do not use the third key at all. For this 30-day period, you will get billed for 2 HSM key units. For e.g. if these are 2048-bit RSA keys, you will get billed 2 x $-/key/month = $- and if these are 3072-bit RSA keys, you will get billed 2 x $-/key/month = $-.
    • You have 1 HSM protected key in your key vault. You have 5 historical versions of that key because you have changed the value of the key four times. In the last 30 days, you used 2 of those versions and did not touch the other three. For a 2048-bit RSA key, you will get billed $- in this example, while for advanced key type, you will get billed $- in this example.
    • Note that any operations performed on HSM-protected keys will be charged separately and will apply in addition to the HSM key charges.
  • No, there is no set up fee for Azure Key Vault.

  • HSM key charges are not pro-rated based on length of time it is enabled. We shall charge for an HSM key only if it is used at least once in the previous 30 days, based on the key’s creation anniversary date.

  • Yes, you can grant use of keys stored in Key Vault to any app, hosted anywhere (Microsoft Azure, third-party cloud, on-premises).

  • No. Only the key owner gets billed.


Estimate your monthly costs for Azure services

Review Azure pricing frequently asked questions

Learn more about Key Vault

Review technical tutorials, videos, and more resources

Added to estimate. Press 'v' to view on calculator

Talk to a sales specialist for a walk-through of Azure pricing. Understand pricing for your cloud solution.

Get free cloud services and a $200 credit to explore Azure for 30 days.