You have a solution that runs in an Azure Virtual Machine (VM).
The solution encrypts sensitive files and saves file metadata information in an Azure SQL database.
You need to use Azure Key Vault to securely store the database connection string for this solution.
Which Key Vault object should you use?
You should use a secret to store the database connection string. You can use secrets to securely store tokens, passwords, API keys, database connection strings, and other secrets. You can control access to these secrets by using access policies.
You should not use a certificate to store the database connection string. You can generate or import x509 certificates used to encrypt Transport Layer Security (TLS) network communication. Azure Key Vault can generate a self-signed or Certificate Authority (CA) certificate. It also handles renewals.
You should not use a key or an HSM-protected key to store the database connection string. You can use these to store or generate software-protected and HSM-protected cryptographic keys. You can use HSM-protected keys in the Azure Key Vault Premium tier.