services / Azure / Azure Key Vault keys
A cryptographic key stored in an Azure Key Vault (software- or HSM-protected). These keys are used for encryption, decryption, signing, key wrapping, and as customer-managed encryption keys (CMK) protecting downstream services and data.
Key Vault keys are among the most sensitive assets in a cloud tenant: they underpin envelope encryption, disk/storage/database encryption, and code/token signing. Private key material is non-exportable via normal reads, so the headline risk varies sharply by operation (read vs. crypto-oracle vs. export).
Microsoft.KeyVault/Vaults/keys/unwrap/action
Unwraps (decrypts) a wrapped symmetric key, returning the cleartext data-encryption key (DEK) to the caller; recovering this key material both exfiltrates crypto and unlocks the downstream data it protects.
Risks
Scope: CRITICAL
This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.
Links
Contributed by P0 Security