# Configure Azure Key Vault as Bring Your Own Key Provider
{% hint style="info" %}
Watch the video tutorial [here](#video-tutorial)
{% endhint %}
### Prerequisites
* **Azure Administrative Access:**\
Confirm that you have administrative access to Microsoft Azure and that the Azure CLI is installed on your system.
* **FenixPyre Portal Administrative Access:**\
Verify that you have administrative access to the FenixPyre portal to configure encryption key provider settings.
***
### Steps to Set Up Azure Key Vault Managed HSM for FenixPyre
{% stepper %}
{% step %}
#### **Create an Azure Key Vault Managed HSM**
Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, single-tenant, highly available, and standards-compliant cloud service that safeguards cryptographic keys using FIPS 140-2 Level 3 validated HSMs.
1. Navigate to the Home page on the Azure portal.
2. Select **Azure Key Vault Managed HSMs** from the menu.
3. Click on **Create** to start setting up your HSM.
4. Choose the ideal region for your organization, such as **East US**.\
Assign a descriptive name to your HSM. Under **Subscription**, select **Pay As You Go**.
5. Assign an administrator to manage the HSM.
6. Click **Create** to complete the setup process.
7. Verify that the provisioning status shows **Succeeded**, indicating the HSM was created successfully.
{% hint style="info" %}
**Important Note:** Consider selecting **Disable purge protection** for flexibility during the retention period.
{% endhint %}
{% endstep %}
{% step %}
**Activate Azure Key Vault Managed HSM**
Before using the HSM, activation is required. During activation, data plane commands (e.g., creating keys or assigning roles) are disabled. Only administrators assigned during HSM creation can perform activation.
**Generate RSA Key-Pairs:**
* You need to generate at least three (up to ten) RSA key-pairs. The minimum number required to decrypt the security domain is known as a quorum.
**Generate RSA Key-Pairs Using OpenSSL:** Run the following commands to create three self-signed certificates:
```bash
openssl req -newkey rsa:2048 -nodes -keyout cert_0.key -x509 -days 365 -out cert_0.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_2.key -x509 -days 365 -out cert_2.cer
```
**Download the Security Domain:** Use the RSA public keys to download the security domain:
```bash
az keyvault security-domain download --hsm-name ContosoMHSM --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file ContosoMHSM-SD.json
```
**Complete Activation:**
* Once the command executes successfully, your HSM will activate.
* Allow a few minutes for activation to complete.
**Important:** Store the RSA key pairs and the security domain file securely for future use, such as disaster recovery or setting up another HSM sharing the same security domain.
{% endstep %}
{% step %}
**Register an Application in Azure for FenixPyre**
1. **Log in to the Azure Portal:** Access the Azure portal and sign in.
2. **Navigate to Microsoft Entra ID:** Select **Microsoft Entra ID** from the menu.
3. **Open App Registrations:** Click **+ Add** and then select **App Registration.**
4. **Register a New App:** Provide a name for your app and click **Create** to register it.
5. **Create a client secret**
* In the app settings, navigate to **Certificates & Secrets**.
* Click **+ New Client Secret**, provide a description, and click **Add**.
* Copy and store the client secret securely as it will only be shown once.
{% endstep %}
{% step %}
**Configure Role-Based Access Control (RBAC) for Azure Key Vault Managed HSM**
1. **Access Managed HSM:** In the Azure portal, open the HSM you created.
2. **Open the RBAC Tab:** Select the **RBAC** tab.
3. **Create Local RBAC:** Click the **+** icon to create a new role assignment. Select **Managed HSM Crypto User** under **Roles** and **All keys** under **Scope**.
4. **Select Security Principal:** Click **Select Security Principal** and choose **Enterprise Applications**. Then, select your previously registered app.
5. **Finalize RBAC Setup:** Complete the role assignment process to grant the appropriate permissions to the app.
{% endstep %}
{% step %}
**Finalize the Encryption Key Provider Setup in FenixPyre**
1. **Assign a Vault Name:** In the FenixPyre portal, provide a unique and descriptive name for your vault.
2. **Copy HSM URI:** Copy the HSM URI from the Azure HSM overview page.
3. **Copy Client ID and Tenant ID:** Retrieve the **Client ID** and **Tenant ID** from your registered app.
4. **Use Client Secret:** Use the client secret you copied earlier.
5. **Verify and Finalize Setup in FenixPyre:** In the FenixPyre dashboard, paste the HSM URI, Client ID, Tenant ID, and Client Secret. Click **Verify**, then **Create** to finalize the setup.
{% endstep %}
{% endstepper %}
By following these steps, you will have successfully set up and integrated Azure Key Vault Managed HSM with FenixPyre.
## Video Tutorial
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.fenixpyre.com/fenixpyre-for-admins/admin-dashboard/key-management/master-encryption-keys/setup-bring-your-own-master-encryption-key-byomek-with-azure/configure-azure-key-vault-as-bring-your-own-key-provider.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.