# Encrypted volumes with Azure Key Vault Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. ## Connection to Azure Key Vault Below values are used to establish the connection to the Key Vault service from the CSI driver and to make use of the secrets `GetSecret`/`SetSecret`/`DeleteSecret` operations: ```text * AZURE_VAULT_URL The URL used to access the Azure Key Vault service. * AZURE_CLIENT_ID The Client ID of the Azure application object (also known as the service principal). This ID serves as the username. * AZURE_TENANT_ID The Tenant ID associated with the service principal. * CLIENT_CERT The client certificate (which includes the private key and is not password protected) used for authentication with Azure Key Vault. ``` ### Values provided in the connection secret Considering `AZURE_CLIENT_CERTIFICATE` is sensitive information, it will be provided as a Kubernetes secret to the Ceph-CSI driver. The Ceph-CSI KMS plugin interface for the Azure key vault will read the secret name from the kms configMap and fetch the certificate. ### Values provided in the config map `AZURE_VAULT_URL`, `AZURE_CLIENT_ID`, `AZURE_TENANT_ID` are part of the KMS ConfigMap. ### Storage class values or configuration The Storage class has to be enabled for encryption and `encryptionKMSID` has to be provided which is the matching value in the kms config map. ## Volume Encrypt or Decrypt Operation Ceph-CSI generate's unique passphrase for each volume to be used to encrypt/decrypt. The passphrase is securely store in Azure key vault using the `SetSecret` operation. At time of decrypt the passphrase is retrieved from the key vault using the `GetSecret`operation. ## Volume Delete Operation When the corresponding volume is deleted, the stored secret in the Azure Key Vault will be deleted. > Note: Ceph-CSI solely deletes the secret without permanent removal (purging).