Cloud Key Management Services Use Cases

Today, cloud environments have been chosen by many business solutions as the premier hosting environment for their applications. They can choose either Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS) different solution types in order to meet business needs. solution can be prepared. However, storing business data in a cloud environment will be a major challenge in bringing business data to the public. As for data security issues, each cloud platform vendor offers a different solution for data security. Understanding the similarities and differences in those solutions will help business customers choose the appropriate solution for business applications.

This article will discuss the primary solution use cases and key differences in secret key management between Microsoft Azure, Amazon AWS, and Google Cloud Platform for managing secret keys, certificates, and data encryption. Although a platform may provide a similar solution or an indirect solution for a specific use case, it will be compared unless it is a more commonly used use case.

Azure Security Key Vault Service

Microsoft Azure Cloud Platform provides Key Vault, a centralized solution for protecting sensitive information from applications, managing secrets, security keys and certificates for Azure Web Apps, function applications, and cold storage. It can be used as an integrated PaaS solution with other Azure cloud services, and supports both software keys and hardware keys.

Azure security keys are created in a resource group with a key vault name, region, pricing level (Standard and Premium), and a set of access policies. Vault Keys can be accessed in many ways, such as Rest API, Ney SDK, Java SDK, Node.js, Python, Azure CLI, PowerShell, etc.

Azure Key Vault offers two service levels, Standard and Premium, and can be used for the following major use cases:

  1. Use Azure Key Vault to Manage VM and Disk Storage via VM Keys
  2. Use Azure Key Vault to manage backend Azure SQL, Logical Apps and Web Apps, monitoring and logging via privacy and certificates
  3. Identify translation or broking service to other cloud platforms, such as AWS, Google Cloud Platform, etc.

AWS Key Management Service

AWS Key Management System (KMS) is a regional key system. Multi-sector keys can be used in multiple areas, such as disaster recovery or operation of global apps.

The AWS Key Management Service includes both client-side encryption and server-side encryption. It is managed inside the AWS Amazon Elastic Compute Cloud (EC2). KMS enables Customer to provision and use encryption keys to protect data, and also enables Customer to create, use and manage encryption keys.

For example, in KMS, a user can use a data key to encrypt a file or store data. The encrypted data key is stored inside an encrypted data file and encrypted by the KMS crypto model. During the decryption process, the data key will be decrypted first, and then it will be used to decrypt the data file.

AWS KMS uses master keys to generate data keys that will be used to encrypt and decrypt the data file. The master key is encrypted with the AES 256 encryption algorithm with the given password. AWS also manages encryption/decryption activities and audit events managed in the AWS Cloud Trail.

Compared to Azure Key Vault, the common use case in AWS Key Management Service (KMS) is using symmetric keys. This means that the same key is used for data encryption and decryption (with 256 AES algorithms). It is the primary method of encryption and decryption of the data file, and the keys can also be used for signing and signing.

Azure Vault is an asymmetric key mechanism with public key and private key. The private key is used for decryption or signing, and the public key is used for encryption or verification. The public key is given to everyone to perform the encryption. It doesn’t help with decryption

Due to the difference between the symmetric or asymmetric key method, the key use cases in AWS differ from the Azure Key Vault use cases:

  1. In AWS, the system generates a fresh data key, and AWS KMS will encrypt that fresh data key with the master key, and keep it secure inside the KMS. AWS will send back both the explicit version and the encrypted version key via TLS to the user. The client can later use the encrypted version key for decryption or the clear version key for encryption.
  2. In Azure Vault, the client will generate its own keys, encrypt the data file with the public key provided by Azure Key Vault, and decrypt the data file with the private key.

Google Cloud Key Management Service

Google Cloud Key Management Service (CKMS) is a centralized cloud service for managing encryption keys to encrypt cloud data files for other Google services such as API tokens, data files, storage, or web apps. It uses AES 256 encryption algorithm to protect the data files.

Google Cloud KMS supports both asymmetric keys and symmetric keys. It integrates with other Google-provided services, for example, cloud identity and access management, storage management, and content management. Like Azure Vault, Google CKMS has integrated with cloud monitoring and logging, hardware security model, etc.

Major use cases:

  1. Use Google Cloud KMS to manage content, Drive storage, and access to the Web Apps API.
  2. Use asymmetric keys (public key and private key), or symmetric keys (master key and data key) to manage data file encryption and decryption
  3. Access encrypted data in BigQuery via API in Google-provided services

Other Cloud Key Management Services

There are some other cloud key management services, such as Spring Cloud Vault that provide a central location with external client-side configuration to manage external security secrets. Spring Cloud Vault is an open-source framework for managing security secrets that can be used to protect external services, such as databases (MySQL, PostgreSQL, MongoDB, etc.).

IBM Security Guardium Key Lifecycle Manager is also a centralized, transparent encryption key management service used for key life-cycle management, such as key generation, storage, self-encrypting, interoperation, and API access. It is an integrated service in the IBM Security Guardium suites.

Oracle Cloud Oracle Cloud Infrastructure (OCI) Vault provides, again, a centralized location to manage the use of keys and secrets across OCI services as well as Oracle Identity and Access Management (IAM) services. It supports both symmetric and asymmetric keys with the AES 256 encryption algorithm.

in a summary

Although Azure Key Vault, AWS Key Management Service and Google Cloud Key Management Service provide almost the same security, key management, encryption and decryption service to protect cloud data file, storage, content, certificate, hardware, access etc., but they There are still some differences in the major use cases, system access and development, and cost models. Here is a summary discussion of the major differences between those platforms:

from the point of view of development

Azure Key Vault supports local development environment with native API, it is very easy to set up on developer’s local machine. AWS KMS is required to generate the key from the Key Management Console and set up development with the Encryption SDK. Google CKS requires Google Cloud Services API for development

from the point of view of deployment

Azure Key Vault and google CKMS support on-premises development and deployment remotely. Azure Key Vault can be used as a broker agent for identity translation to other cloud platforms.

From key encryption/decryption perspective

Azure Key Vault is mainly used as an asymmetric key system (public and private keys). AWS KMS uses symmetric keys (master and data keys), and Google CKMS uses both.

From a key management and data retention perspective

In Azure Key Vault, the key will be destroyed after the retention period expires. AWS will destroy KMS keys after they are removed in 7-30 days. Google will not remove CKMS keys.


As you know, in a cloud environment, different platforms provide the same security key management services for data file encryption and decryption. The difference between them is very subtle. Choosing which system will be used in your solution should be considered in the broader picture of your organization’s strategic roadmap plan.

However, only for key management and data file encryption, IT developers and architects will consider symmetric or asymmetric key structure, convenience of using native environment development, convenience of access service on cloud platform and cost model etc.

Thanks for reading and hope you found this article helpful.

Leave a Comment