Azure Key Vault
Arpio support for Azure Key Vault
Azure Key Vault
Arpio replicates Azure Key Vault resources to recovery environments, ensuring secrets, keys, and certificates remain available for applications during disaster recovery scenarios. Arpio supports both RBAC-enabled and Access Policy-based vaults.
Key Vault
Arpio replicates Key Vaults with their access configurations. Both RBAC-authorized vaults and Access Policy-based vaults are supported.
Translated Attributes
The following attributes are translated during replication:
| Attribute | Translation Method |
|---|---|
| Vault Name | New unique name generated for recovery vault |
| Access Policies | Principal object IDs are translated to corresponding recovery principals |
Automatic Dependency Selection
The following resources are automatically selected into recovery points when a Key Vault is selected:
- Principals referenced within access policies
- All secrets, keys, and certificates within the vault
Private Network Access
If your Key Vault has public access disabled, Arpio will deploy a private delegate that is able to access the Key Vault via an existing private endpoint. This delegate will be used by Arpio to back up and restore settings and data for the Key Vault and its subresources.
Key Vault Secret
Arpio replicates secrets with full version history support, maintaining up to 100 most recent versions per secret. Secret values are encrypted during backup and securely transferred to a storage account in the recovery subscription.
Translated Attributes
The following attributes are translated during replication:
| Attribute | Translation Method |
|---|---|
| Secret Value | References to other resources within the secret value are translated. This might include storage account URIs, database connection strings, etc. |
Key Vault Key
Arpio replicates the definition of keys, including their attributes and access policies. However, the key material itself is not replicated for security reasons. Instead, a new key is generated in the recovery vault with the same name and attributes but different key material.
Key Vault Certificate
Arpio replicates certificates with full version history support, maintaining up to 100 most recent versions per certificate.
For exportable certificates, the key and secret referenced by each version of the certificate are also replicated, including the private key material stored in the secret.
For non-exportable certificates, a corresponding certificate with the same name must be manually created in the recovery vault. The recovery certificate is the "adopted" by Arpio during recovery to allow references to the certificate to be updated.
Expired certificates are not replicated.
Permission Requirements for Policy-Based Vaults
For RBAC-enabled vaults, the Arpio delegates are assigned necessary roles/permissions as part of the template install process. However, for access-policy-based vaults, permissions must be explicitly granted to the Arpio primary delegate to allow for the contained keys, secrets, and certificates to be listed and backed up.
Permissions Required for Arpio Primary Delegate
- Keys:
list,get - Secrets:
list,get - Certificates:
list,get