Azure Key Vault Pricing Guide UK 2026

Standard vs Premium vs Managed HSM — the three models explained

Azure Key Vault has three tiers that bill in fundamentally different ways. Understanding the distinction matters because choosing the wrong tier for a workload can mean a cost difference of several orders of magnitude.

Standard tier charges per operation against software-protected keys. The first 10,000 operations per month are free. A typical web app that reads secrets on startup — database connection strings, API keys, TLS certificates — will generate a few hundred operations per month and pay £0. Even a moderately busy application rarely exceeds the free tier.

Premium tier adds the ability to use HSM-backed key storage at a higher per-key monthly fee. Software-protected key operations in Premium are billed at the same rate as Standard. Premium is appropriate for workloads where regulatory compliance or audit requirements specify HSM key protection for encryption keys or signing keys — not for general secret management.

Managed HSM is a completely different product. It provisions dedicated HSM hardware in your region and bills by the hour regardless of how many operations you perform. There is no free tier, no off switch, and no pause state. The hardware is reserved for your tenant 24 hours a day from the moment it is provisioned. At UK South rates this costs approximately £2,700/month running continuously.

Operations billing: what counts as an operation, the free tier, when costs start

Every interaction with a key, secret, or certificate counts as one or more operations. A single call to get a secret value is one operation. Creating a new key version is one operation. Signing data with a key is one operation. The 10,000/month free tier is applied at the vault level, not the key level — the first 10,000 operations across all keys and secrets in the vault are free.

Standard operations are charged at £0.0226 per 10,000 operations beyond the free tier. Advanced key operations (RSA keys larger than 2048-bit, elliptic curve keys) are charged at £0.1132 per 10,000 operations and do not benefit from the free tier.

The billing trap that catches teams: caching secrets in application memory vs reading from Key Vault on every request. An application serving 100 requests per second that reads a secret from Key Vault on every request generates 8.6 million operations per month — 860 billable sets of 10,000, costing approximately £1.95/month. The same application reading secrets once on startup and caching them generates fewer than 10 operations per month and costs nothing. Secret caching is both cheaper and faster — the latency of a Key Vault get call (typically 5–20ms) adds up across high-traffic paths.

Key storage: software vs HSM-protected keys and when you need each

Standard Key Vault stores keys in software — they are protected by encryption at rest within Azure's infrastructure but do not use dedicated hardware. There is no per-key storage fee for software-protected keys in Standard tier.

Premium Key Vault adds HSM-backed key storage. An HSM-protected RSA 2048-bit key costs £0.755/key/month. Advanced HSM keys (RSA 3072/4096-bit, ECDSA) cost significantly more. These fees apply regardless of how frequently the key is used — the charge is for the key existing, not for operations against it.

HSM-backed keys are appropriate when a regulatory framework (PCI-DSS, FIPS 140-2 Level 2 or 3) mandates hardware protection for specific key types — typically signing keys or encryption key encryption keys (KEKs). For most encryption-at-rest scenarios using platform-managed keys or customer-managed keys in Standard tier, software-protected keys are sufficient.

Managed HSM: what it provides, who actually needs it

Managed HSM provisions a dedicated FIPS 140-2 Level 3 HSM pool in your region. Unlike Premium Key Vault where the HSM hardware is shared across tenants (with cryptographic isolation), Managed HSM gives your tenant exclusive use of dedicated hardware. The hardware cannot be shared, paused, or scaled to zero — it bills at £3.66/hr from the moment it is activated.

At 744 hours per month (fully deployed): £3.66 × 744 = approximately £2,723/month. This is the floor — there is no usage-based discount and no way to reduce the bill by using it less.

Managed HSM is appropriate for a narrow set of requirements:

• Regulatory mandates that specifically require single-tenant dedicated HSM hardware (not HSM-backed keys on shared hardware)
• Bring-your-own-key (BYOK) scenarios where the key must never leave hardware under your exclusive control
• High-assurance key management for regulated financial or government workloads

If your compliance requirement is satisfied by FIPS 140-2 Level 2 (which Premium Key Vault provides), Managed HSM is not necessary. The distinction between Level 2 (Premium Key Vault) and Level 3 (Managed HSM) is meaningful in specific regulated industries — verify your actual compliance requirement before incurring the Managed HSM cost.

Diagnostic logging: what Key Vault logs and how much volume to expect

Key Vault can send diagnostic logs to a Log Analytics workspace via Azure Monitor. The logs cover every vault operation: who accessed which secret or key, from which IP address, whether the operation succeeded, and which client application made the request.

Log volume depends heavily on operation count. A vault processing the free tier of 10,000 operations per month generates minimal log volume — well under 0.5 GB. A vault handling millions of operations per month (a high-traffic application reading secrets on every request without caching) can generate 2–5 GB/month of diagnostic logs. The Log Analytics ingestion cost for 5 GB/month at PAYG rates is approximately £12.55/month.

Key Vault logging is not a requirement for most workloads, but it becomes important when you need an audit trail — who accessed which secret and when. In regulated environments this is often mandatory. Use the Log Analytics calculator to estimate the ingestion cost for your expected log volume before enabling verbose audit logging.

Practical estimation: a web app example with real operation counts

A typical Azure-hosted web application reads secrets from Key Vault on application startup only, caches them in memory, and re-reads them only on restart or configuration refresh. This pattern generates:

• 10 secrets read on startup: 10 operations
• Health check probes verifying vault connectivity: ~30 operations/month
• Occasional certificate reads: ~10 operations/month
• Total: ~50 operations/month — well within the 10,000 free tier. Cost: £0.00.

The same application modified to read secrets on every request at 50 req/s:

• 50 req/s × 60s × 60m × 24h × 30 days = 129.6 million operations/month
• Billable: 129.6M − 10K ≈ 129.59M operations = 12,959 sets of 10,000
• Total: 12,959 × £0.0226 = approximately £292/month

Caching secrets is not just a cost optimisation — it also reduces Key Vault latency from the request path. The right pattern is to read secrets once and cache with a refresh interval of hours or days, not on every request.

Key Vault Calculator

Use the Key Vault Calculator → to estimate your costs. Select your tier, enter your monthly operation count, and see whether your workload falls within the free tier. For Managed HSM, the calculator shows the full monthly cost so you can evaluate the tier decision before provisioning.

Built and verified by an independent Azure engineer.