Last Updated: November 24, 2020

Azure Key Vault HSM BYOK

Introduction

To provide an additional level of security to data stored in Azure and to assist in meeting or exceeding regulatory compliance requirements, Azure Key Vault supports Bring Your Own Key, or BYOK. Using this method, you can wrap a key generated by SvKMS with an Key Exchange Key (KEK) produced in Azure, exporting the resulting .byok file out of SvKMS, and then importing it into an Azure Key Vault.

This section describes the process used to create a key vault in Azure, generate encryption keys in SvKMS and Azure, wrap the SvKMS key with the key generated in Azure, and then import the byok file into Azure's Key Vault.

Prerequisites

Before successfully integrating SvKMS and Azure, make sure the following tasks have been performed:

  • Download, initialize and configure SvKMS. Information regarding the installation and configuration of SvKMS can be found in the SvKMS Initialization and Activation section. When logging into SvKMS, use an account that has Administrator access.
  • A Microsoft Azure account has been activated and a storage account has been created. Go to https://azure.microsoft.com/ for more information.

Workflow Summary

The steps for configuring SvKMS and Microsoft Azure include:

Azure
  • Create a Key Vault
  • Create an RSA Key in the Key Vault
  • Record key identifier information
  • Download RSA public key information (.pem file)
SvKMS
  • Create a Group
  • Create a User
  • Create a Key
  • Wrap SvKMS key with the public key
  • Export byok file
Azure
  • Import byok file into Key Vault

Azure Configuration

Create a Key Vault in Azure

Sign in to the Azure portal at https://portal.azure.com.

Select Key Vaults from the Azure Services options, or enter Key Vault in the Search field at the top of the Azure Portal page.

Click Add to open the Create key Vault page.

Provide the following details:

  • The Subscription type from the Subscription dropdown.
  • The Resource group. You can either select an existing group from the dropdown or click Create new to create a new group.
  • Enter a Key vault name. The name can only contain alphanumeric characters and dashes and cannot start with a number.
  • The Region the vault operates in.
  • Select Premium from the pricing tier dropdown. The Standard pricing tier does not include the Generate Key Encryption Key for importing HSM-protected keys option.

The recovery options are not required.

Click Review + create when you are ready to proceed. Once the request has passed validation, click Create. It can take a few moments for the vault creation process to complete.

Create an RSA Key in Azure Key Vault

Once the key vault has been created, the next step is to use it to generate a key.

Open the key vault and select Keys from the Setting options.

Click to open the Create Key page.

Select Generate Key Encryption Key for importing HSM-protected keys from the Options dropdown.

Enter a name for the key in the Name field. Ensure the name contains only alphanumeric characters and dashes.

The Key type is restricted to RSA keys only.

Select the RSA Key size.

Click Create to generate the key. It can take some time for the key creation process to complete. Once complete, the key appears in the Key Vault's key list.

Click on the key name then click the current version of the key to open additional key options.

Click Download public key to download a .pem file that contains the public component of the RSA key. This file is used by SvKMS to wrap the SvKMS generated key. The wrapped key can then be exported as a .byok file.

SvKMS Configuration

Create a Group in SvKMS

Log into SvKMS and select the Groups tab.

Use the Groups feature to create a new group. When following SvKMS best practice for creating a new user, the user account associated with this integration should be assigned to a group. Click the Groups tab to navigate to the Groups page.

Click +Add Group to open the Add New Group dialog.

Enter the name of the key group in the Group ID field. This name should follow a naming convention to assist with the logical grouping of your keys.

Note: Group IDs cannot use uppercase letters.

Click Save. A message indicating that the new group was created appears in the top right corner of the page. When you have completed the group creation task, go to the Users tab to create the Key Access user account.

Create a User in SvKMS

The next step is to create a new user.

  1. Click the Users tab to advance to the Users page.

  2. Click Add User to open the Add New User dialog.

  3. Enter the information required in the Add New User dialog:

    Field name Value/Description
    Username Enter a user name that is unique to every other user name on SvKMS.
    User Role Check the Key Access User option. Administrators can view key metrics in the Dashboard and create additional users and groups. Key Access users can create and manage keys, but cannot create additional users or groups, nor can they modify existing user or group information. Key Access users can also be part of a group, while Administrators cannot.
    Display Name Alternate name that can be used when SvKMS is integrated with other applications.
    Groups Select a group or groups from the available group names. This option is only available with the Key Access user. In this case, select the new group created in the Create a Group section.
    Default Group From the list of groups the user is associated with, you can select one to act as a default group. This is primarily used when integrating SvKMS as a Key Management Server (KMS). (optional). This option is available to both Administrator and Key Access users.
    Email Enter the email address associated with this account. (optional)
    Authenticate via SSO If the SAML feature has been enabled, select this option to use Single Sign-On (SSO) instead of a password to authenticate this user at login. If the SAML feature has not been enabled, this option is not available. See Corporate Sign-in for information regarding setting up the SAML feature.
    Authenticate via Client Cert Select this option to generate or upload a certificate used to authenticate this user. You can download the certificate after the new user is created. See the Azure Key Vault HSM BYOK section for more information.
    Password Enter password for this user. Password must have a minimum length of 10 characters. SvKMS provides feedback relating to the strength of your password.
    Confirm Password Re-enter your password.
    Enforce IP Whitelist When enabled, only requests made from IP addresses contained in the whitelist are allowed.
    Account Disabled Select this option to deny access to SvKMS through this account. See Revoke User (Disable) for additional information.
  4. Click Add User.

Create a Key

  1. Click +Add Key to open the Add or import new key dialog.

  2. Select Asymmetric, then an RSA key type from the Key Type dropdown.
  3. Provide a key name in the Key Name field. The key name can only contain lowercase letters. If a key name is not entered, the key name is displayed as [blank] in the keys list on the main Keys page. (optional)
  4. Provide a description of the key in the Key Description field. (optional)
  5. Keys can be owned by a group or by an individual user. Select the group the key is associated with from the Key Group dropdown. Alternatively, you can associate the key with an individual user by selecting a user from the Key Owner item in the Add Key dialog. If you have not created a group, you can still create a key, but only the key is owned by user option is available.
  6. Confirm the Activated option is selected. If the option is not selected, the key is created in a pre-active state and cannot be used to encrypt data until set to Active.
  7. Click Add Key when you are ready to create the key. A message appears indicating the key was successfully created, and the new key appears in the list on the main Keys page.

 

Once the key has been created in SvKMS, you can use the RSA key created in Azure to wrap this key, then export the resulting byok file back into the Azure Key vault.

Export Key in SvKMS

  1. Log into SvKMS with a Key User account.
  2. From the Keys page, click on the name of the key you just created to open the key's information page.

  3. Click Export Key to open the Export Key dialog.

  4. Select Azure from the Type dropdown.
  5. Drag the .pem file downloaded from Azure into the Public Key field, or click Upload From File, navigate to the .pem file location and click Open.
  6. Enter the Key Identifier recorded from the Azure Key into the Key id field.
  7. Click Export to download the byok file to your file save location.

Import byok into Key Vault

Once the byok file has been successfully created, it can be added to the Azure Key Vault.

  1. Select Key Vaults from the Azure Services options, or enter Key Vault in the Search field at the top of the Azure Portal page.
  2. Select the key vault you created earlier.
  3. Open the key vault and select Keys from the Settings options.
  4. Click to open the Create Key page.
  5. Select Import from the Options dropdown.
  6. Click in the File Upload field, navigate to the byok file location, select the file and click Open.
  7. Enter a name for the key in the Name field. Ensure the name contains only alphanumeric characters and dashes.
  8. Click Create.

When successful, the imported .byok file appears in the Key Vault list.

Microsoft FastTrack Portal

Once the imported .byok file is successfully stored in the Azure Key Vault, you must submit an offer in the Microsoft FastTrack portal to activate it as a Customer Key. Microsoft verifies the Azure Key Vault configuration data and contact information you provide.

For instructions regarding submitting a request in the FastTrack portal, go to submitting a request to activate a customer key.

Visit https://fasttrack.microsoft.com/ for more information.