search
SupportDashboard

Configure Azure Key Vault as Bring Your Own Key Provider

circle-info

Watch the video tutorial here

hashtag
Prerequisites

  • Azure Administrative Access: Confirm that you have administrative access to Microsoft Azure and that the Azure CLI is installed on your system.

  • FenixPyre Portal Administrative Access: Verify that you have administrative access to the FenixPyre portal to configure encryption key provider settings.

hashtag
Steps to Set Up Azure Key Vault Managed HSM for FenixPyre

1

hashtag
Create an Azure Key Vault Managed HSM

Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, single-tenant, highly available, and standards-compliant cloud service that safeguards cryptographic keys using FIPS 140-2 Level 3 validated HSMs.

  1. Navigate to the Home page on the Azure portal.

  2. Select Azure Key Vault Managed HSMs from the menu.

  3. Click on Create to start setting up your HSM.

  1. Choose the ideal region for your organization, such as East US. Assign a descriptive name to your HSM. Under Subscription, select Pay As You Go.

  1. Assign an administrator to manage the HSM.

  2. Click Create to complete the setup process.

  3. Verify that the provisioning status shows Succeeded, indicating the HSM was created successfully.

circle-info

Important Note: Consider selecting Disable purge protection for flexibility during the retention period.

2

Activate Azure Key Vault Managed HSM

Before using the HSM, activation is required. During activation, data plane commands (e.g., creating keys or assigning roles) are disabled. Only administrators assigned during HSM creation can perform activation.

Generate RSA Key-Pairs:

  • You need to generate at least three (up to ten) RSA key-pairs. The minimum number required to decrypt the security domain is known as a quorum.

Generate RSA Key-Pairs Using OpenSSL: Run the following commands to create three self-signed certificates:

openssl req -newkey rsa:2048 -nodes -keyout cert_0.key -x509 -days 365 -out cert_0.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_2.key -x509 -days 365 -out cert_2.cer

Download the Security Domain: Use the RSA public keys to download the security domain:

az keyvault security-domain download --hsm-name ContosoMHSM --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file ContosoMHSM-SD.json

Complete Activation:

  • Once the command executes successfully, your HSM will activate.

  • Allow a few minutes for activation to complete.

Important: Store the RSA key pairs and the security domain file securely for future use, such as disaster recovery or setting up another HSM sharing the same security domain.

3

Register an Application in Azure for FenixPyre

  1. Log in to the Azure Portal: Access the Azure portal and sign in.

  2. Navigate to Microsoft Entra ID: Select Microsoft Entra ID from the menu.

  3. Open App Registrations: Click + Add and then select App Registration.

  1. Register a New App: Provide a name for your app and click Create to register it.

  1. Create a client secret

    • In the app settings, navigate to Certificates & Secrets.

    • Click + New Client Secret, provide a description, and click Add.

    • Copy and store the client secret securely as it will only be shown once.

4

Configure Role-Based Access Control (RBAC) for Azure Key Vault Managed HSM

  1. Access Managed HSM: In the Azure portal, open the HSM you created.

  2. Open the RBAC Tab: Select the RBAC tab.

  1. Create Local RBAC: Click the + icon to create a new role assignment. Select Managed HSM Crypto User under Roles and All keys under Scope.

  1. Select Security Principal: Click Select Security Principal and choose Enterprise Applications. Then, select your previously registered app.

  2. Finalize RBAC Setup: Complete the role assignment process to grant the appropriate permissions to the app.

5

Finalize the Encryption Key Provider Setup in FenixPyre

  1. Assign a Vault Name: In the FenixPyre portal, provide a unique and descriptive name for your vault.

  1. Copy HSM URI: Copy the HSM URI from the Azure HSM overview page.

  1. Copy Client ID and Tenant ID: Retrieve the Client ID and Tenant ID from your registered app.

  1. Use Client Secret: Use the client secret you copied earlier.

  2. Verify and Finalize Setup in FenixPyre: In the FenixPyre dashboard, paste the HSM URI, Client ID, Tenant ID, and Client Secret. Click Verify, then Create to finalize the setup.

By following these steps, you will have successfully set up and integrated Azure Key Vault Managed HSM with FenixPyre.

hashtag
Video Tutorial

PreviousSetup Bring Your Own Master Encryption Key (BYOMEK) with AzureNextCreate a Master Encryption Key and Store in Azure Key Vault

Last updated

Was this helpful?