Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. From a developer’s perspective, Key Vault APIs accept and return secret secret valentine gifts as strings. The Key Vault service doesn’t provide semantics for secrets. The identifier can be used to retrieve the secret at a later time.

For highly sensitive data, clients should consider extra layers of protection for data. Encrypting data using a separate protection key prior to storage in Key Vault is one example. Clients may specify the content type of a secret to help interpreting the secret data when it’s retrieved. The maximum length of this field is 255 characters. The suggested usage is as a hint for interpreting the secret data. For instance, an implementation may store both passwords and certificates as secrets, then use this field to differentiate.

Encryption All secrets in your Key Vault are stored encrypted. Key Vault encrypts secrets at rest with a hierarchy of encryption keys, with all keys in that hierarchy are protected by modules that are FIPS 140-2 compliant. This encryption is transparent, and requires no action from the user. The Azure Key Vault service encrypts your secrets when you add them, and decrypts them automatically when you read them. The encryption leaf key of the key hierarchy is unique to each key vault. China: root key is protected by a module that is validated for FIPS 140-2 Level 1.

Other regions: root key is protected by a module that is validated for FIPS 140-2 Level 2 or higher. SHOULD NOT be retrieved, except in particular situations. This field is for informational purposes only as it informs users of key vault service that a particular secret may not be used. This field is for informational purposes only. This attribute specifies whether the secret data can be retrieved.