1.0 Introduction
Welcome to the Fortanix-Data-Security-Manager (DSM) Azure Key Vault (AKV) Bring Your Own Key (BYOK) User Guide. This article describes how to perform BYOK lifecycle management in AKV using Fortanix DSM.
The Fortanix solution for AKV offers complete BYOK, as explained in this article, as well as Cloud Native Key Management Service (CNKMS) with complete lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS) or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.
3.0 Azure Key Vault Group Setup and Cloud Native Key Management
For details on how to set up an Azure-backed group in Fortanix DSM, refer to the Fortanix DSM - Azure Key Vault Setup.
For details on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the Fortanix DSM - Azure Key Vault Cloud Native Key Management.
4.0 Fortanix Azure BYOK Workflows Overview
Generate key: Navigate to a source key in Fortanix DSM and copy the key into an Azure CDC group to create a linked key and a BYOK key in Azure Key Vault.
Rotate source key: Rotate the source key that was originally generated in "Fortanix DSM" and click “rotate linked/copied keys”.
Disable/Enable: Navigate to the detailed view of the key in the Azure CDC group and disable or enable it from Fortanix DSM.
Soft delete a key: Navigate to the detailed view of an Azure virtual key and in the AZURE KEY DETAILS tab click the link SOFT DELETE KEY.
5.0 Fortanix DSM Azure KMS Security Objects
You can generate a key in a configured Azure KMS (Software-backed or HSM-backed Key Vault).
5.1 Bring Your Own Key - Copy Key to Azure Key Vault
Use this option when you want to create a key in Fortanix DSM and then import it into the configured Azure Key Vault. The Copy Key to Azure feature allows you to transfer a security object from one Fortanix DSM group to another, including to an Azure CDC Fortanix DSM group.
This feature has the following advantages:
Maintains a single source of key material while using/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.
Maintains a link of various copies of the same key material to the source key for ability to name, and rotate keys everywhere all at once, as well as audit and tracking purposes.
The following action happens during copy key operation:
A new key will be created in the target group: The new key will have the same key material as the original.
The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
The source key will also have basic metadata-based information about the linked keys such as:
Copied by <user-name/app id>
Date of Copy <time stamp>
Target copy group name
NOTE
The name of the copied key is suggested automatically to you as
[original key name]_[copy1,2,...], but you can replace it with an alternative unique name, if required.
Perform the following steps to copy a key from a regular Fortanix DSM group to an Azure CDC group:
Generate an RSA or EC key in Fortanix DSM, if the key is not already present. To create the key, refer to the Generate Security Objects.
Go to the detailed view of the key and click the COPY KEY button available on the top right of the screen.
NOTE
The allowed key types for an Azure key generated using the copy key workflow are:
Standard key vault:
RSA key pairs (RSA_2048, RSA_3072, and RSA_4096).
Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
Premium key vault:
RSA key pairs (RSA_2048, RSA_3072, and RSA_4096).
Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
The RSA and EC key to be copied must have the “Export” permission enabled or the copy key operation will fail.
The COPY KEY button will be disabled for all the Azure KMS Virtual-Keys.
In the COPY KEY window, do the following:
Hover on the name of the key and use the edit
icon to update the name of the key, if required.Click the Import key to HSM/External KMS check box to filter the groups to show only HSM/AWS KMS/Azure KMS groups. Select the Azure CDC group for the new key into which the copied key should be imported.
In the Create key as section,
Select Software protected or Hardware protected radio button, if the key vault associated with the Azure CDC group is a Premium key vault.
For the Standard key vault, the key is created as software-protected by default.
Enter the required Azure key name.
NOTE
If the Azure key name already exists in the Azure Key Vault, then the old key will get rotated automatically.
Update the Key operated permitted if you want to modify the permissions of the key.
NOTE
Only the permissions that are already present in the source key can be modified. If some permissions are missing on the source key, they cannot be added to the copied key.
Click the CREATE COPY button to create a copy of the key.
The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key.
NOTE
If you want to maintain a copy of the key material in Fortanix DSM, then you can import a regular RSA/EC key into Fortanix DSM using the “import key” workflow and then copy this key into Azure Key Vault using the “copy key” workflow.
The audit logs for a copied key in the Azure-backed group will display detailed entries, including the wrapping key type, key size, and wrapping mechanism, provided that audit logging is enabled for the source key.
5.2 Bring Your Own Key - Import Key
This action imports the key into the software or HSM-backed Azure Key Vault, creating a virtual key in the corresponding Azure CDC group. The virtual key in the Azure CDC group points to the actual key in the Azure Key Vault but only stores key information and attributes, not the key material. The import action does not store the copy of the key material in Fortanix DSM.
Perform the following steps to import a key in Fortanix DSM:
Navigate to the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to create a new key.
On the Add New Security Object form, do the following:
Enter a name for the Security Object (Key).
Select the This is an HSM/external KMS object check box to filter the groups to show only HSM/AWS KMS/Azure KMS groups in the Select group list.
In the Azure group list, select the Azure CDC group into which the keys will be imported. The keys will be imported into the region that was selected in the Azure CDC group.
Select the IMPORT radio button to initiate the import key in Azure workflow.
In the Create key as section,
Select Software protected keys or Hardware protected keys radio button, if the key vault associated with the Azure CDC group is a Premium key vault.
For the Standard key vault, the key is created as software-protected by default.
Enter the required Azure key name.
In the Choose a type section, select the key type for the new Azure KMS key.
NOTE
The allowed key type for an Azure key generated using the Import Key workflow are.
Standard key vault:
RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
Premium key vault:
RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
The RSA and EC key to be copied must have the “Export” permission enabled or the copy key operation will fail.
Sometimes keys of type RSA that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios select The key has been encrypted check box.
In the Select Key Encryption Key section, enter or select a Key ID or security object name that will be used to unwrap (decrypt) the encrypted key in the file which will later be stored securely in Fortanix DSM. This key should have already been created or imported into Fortanix DSM.
In the Place value here or import from file section, select the value format type as Hex, Base64, or Raw and click the UPLOAD A FILE button to upload the key file.
Select the permitted key operations and any key tags if required using ADD TAG.
Enter the key Expiration Date and key Activation Date.
Click the IMPORT button to import the key.
The security key is successfully imported.
NOTE
When a new key is created in the Azure Key Vault from Fortanix DSM, a backup blob for the key (along with its key versions) will be downloaded from Azure and saved into Fortanix DSM when a SYNC is performed on the group.
5.3 Sync Keys
Perform the following steps to edit the Azure Key Vault connection details:
Go to the Azure KMS group detailed view.
Click the HSM/KMS tab.
Click the SYNC KEYS button to import the new virtual keys.
Fortanix DSM will then connect to Azure Key Vault, fetch all available keys, and store them as virtual keys.
NOTE
When keys are synced with Azure Key Vault, an encrypted backup of the newly discovered keys from the Key Vault is escrowed into Fortanix DSM. In the event of a key being purged from the Key Vault, this escrow can be used to restore the key. The actual key material for those keys is always stored in Azure Key Vault.
Clicking SYNC KEYS only returns the keys from Azure Key Vault that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
The time taken to sync keys from the Azure Key Vault to Fortanix DSM is a function of the number of keys in the Azure Key Vault and the network latency between the Azure location and Fortanix DSM. It can take several minutes if there are hundreds of keys and there is significant network latency.
5.4 Attributes/Tags Tab
This tab contains all the attributes and tags of the Azure key. A tag serves as an optional metadata label that you can assign to an Azure resource. You can add new tags using the NEW TAG button and add custom attributes by using the ADD CUSTOM ATTRIBUTE button. These are user-defined security object attributes that can be added to the security object’s metadata.
5.5 Azure Key Details
This tab displays details of the Azure key properties such as Resource ID and Key version number.
The AZURE KEY DETAILS tab also contains SOFT DELETE KEY option, which is explained in Section 5.8: Soft-delete a Key in Azure Key Vault.
5.6 Security Objects Table View
After adding new Azure keys, navigate to the Security Objects menu item to view all the security objects from all the groups (Regular Azure and HSM/External KMS).
In the table, you will notice that every key belongs to a group and some keys which are virtual keys added from an Azure Key Vault, belongs to a group with a special symbol 
. The table shows all keys, whether they belong to an Azure CDC group or not.
5.7 Deactivate a Key in Azure CDC Group
When you deactivate an Azure key in Fortanix DSM, it deactivates the virtual key in Fortanix DSM and disables the actual key in the Azure Key Vault KMS.
Perform the following steps to deactivate a key:
Select the Azure key that you want to deactivate.
In the detailed view of the key, scroll down and click the DEACTIVATE button.
5.8 Soft-delete a Key in Azure Key Vault
Soft-delete removes a key from Azure Key Vault, which was already scanned in the Azure CDC Group in Fortanix DSM, with an option to recover it.
When you click SYNC KEYS in Fortanix DSM:
The status of the key in the Azure CDC group changes to soft-deleted in Azure.
The key can only be recovered for a retention period set in the key vault.
If you want to recover this key, both the virtual key in Fortanix DSM and the actual key in Azure Key Vault become active again.
If you do not want to recover the key within the retention period, the Azure key vault will automatically purge and permanently delete.
Perform the following steps to delete a key from Azure Key Vault:
Navigate to the detailed view of an Azure virtual key and click the AZURE KEY DETAILS tab.
Click the link SOFT DELETE KEY button.
In the Soft Key Deletion in Azure key vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted” checkbox.
Click the SOFT DELETE KEY button to confirm the key for deletion.
You can recover the deleted key any time before the retention period ends using the RECOVER DELETED KEY link on the top of the screen in the detailed view of the virtual key. When the “Recover Key“ link is clicked, the key will be recovered back in Azure Key Vault with all its versions.
NOTE
When the retention period ends, the key gets purged and deleted permanently. However, even if the key is purged in Azure Key Vault, if the key was imported from Fortanix DSM, then the same key material can be re-imported into Azure Key Vault from the backup blob.
In the Azure Key Vault, when a key is deleted, all its versions get deleted along with it and when restored, all its versions are restored together.
5.9 Delete a Key in Azure CDC Group
The DELETE KEY button will be enabled when the key material has been purged in Azure. When you click DELETE KEY, Fortanix DSM will remove the key backup blob, and hence the key cannot be restored.
Perform the following steps to delete a virtual key:
Select the Azure key that you want to delete.
In the detailed view of the key, scroll down and click the DELETE KEY button.
6.0 Rotate a Key In Azure CDC Group
The following section explains the key rotation in the Azure CDC group. A key is rotated when you want to retire an encryption key and replace that old key by generating a new cryptographic key.
6.1 Rotating Keys in Fortanix DSM Source Group
Prerequisites: Create a regular Fortanix DSM group with source keys copied to the Azure CDC group.
When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then you are given the option to select the linked keys for the key rotation. If these linked keys are part of an Azure CDC group, rotating the linked keys also rotates the keys in Azure Key Vault by making nested copies of the keys in the configured Azure Key Vault.
WARNING
If the new rotated key in Azure CDC group is soft-deleted, then after performing a sync keys operation, the older version of the Azure key transitions to destroyed state. It is recommended to not permanently delete this destroyed key as it may break its link with the original key and cause issues.
Perform the following steps to rotate a key in Azure Key Vault:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a Fortanix DSM Source Key and click the ROTATE KEY button.
In the KEY ROTATION window, select the Rotate linked keys check box.
For more information on the key rotation policy, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.Select the Azure Virtual Keys to rotate with the Fortanix DSM source key and click the ROTATE KEY button.
On the Rotate key window, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
After the keys are rotated, click the OK button.
You can schedule a key rotation policy for the Fortanix DSM source key to automatically and periodically rotate linked Azure keys that are copies of the source key.
Perform the following steps to schedule a key rotation policy for the source key:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of a Fortanix DSM Source Key.
In the detailed view, click the KEY ROTATION tab and click the ADD POLICY button.
Enter the key rotation schedule by specifying the rotation frequency, start date, and time.
To deactivate the old key after key rotation, select the Deactivate original key after the rotation check box.
Click the SAVE POLICY button to save the policy.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
For more information on the key rotation policy, refer to the User's Guide: Fortanix Data Security Manager Key Lifecycle Management.
6.2 Rotate Azure Native Key to Fortanix DSM Owned Key
When an Azure KMS virtual key whose key material is owned by Azure KMS is rotated, you are given an option to rotate the virtual key with a Fortanix DSM-backed key. When you select this option and perform the rotation, a new virtual key is created, with the corresponding key in Azure KMS, which has the key material of the Fortanix DSM-backed key. As a result, the Azure KMS virtual key is backed by a Fortanix DSM source key and becomes a BYOK key. This scenario is used when you want to convert your Azure native keys to BYOK keys.
Perform the following steps to rotate a virtual key with Fortanix DSM backed key:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of an Azure virtual key and click the ROTATE KEY button.
In the Key Rotation window, the Generate new key radio button is selected by default.
Select the Rotate to DSM key check box.
Select the Fortanix DSM group that contains the source key and then select the required source key from the respective drop down menus.
Click the ROTATE KEY button.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.
in Fortanix DSM.