1.0 Introduction
Welcome to the Fortanix-Data-Security-Manager (DSM) Azure Key Vault (AKV) Key Management Service (KMS) User Guide. This article describes how to set up a Cloud Data Control (CDC) Group for Azure Key Vault using Fortanix DSM.
The Fortanix solution for AKV KMS offers complete Bring Your Own Key (BYOK) and lifecycle management and automation of Azure keys and allows users to manage all keys centrally and securely.
This article will walk you through setting up an Azure CDC group that will be used for both CNKMS and BYOK workflows.
1.1 Types of Azure BYOK Flows
Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)
Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, Bring Your Own Key (BYOK), Bring Your Own KMS (AWS XKS) or Bring Your Own Encryption (BYOE), or BYOE is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.
3.0 Obtaining Access to Fortanix DSM
Create an account in Fortanix DSM if you do not have one already. For more information, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI guide.
4.0 Fortanix DSM Azure CDC Group Setup
4.1 Azure Application Configuration
The tool requires Azure credentials to authenticate and interact with Azure Key Vault. Perform the following steps to obtain the necessary credentials:
Log in to https://portal.azure.com/.
Register an application (app).
Figure 1: Initiate App Registration
Figure 2: Register an App
Figure 3: App Registered
Upload a client certificate for the above application.
Figure 4: Client Certificate for the App
Create a client secret for the above application.
Figure 5: Client Secret for the App
Give the app permission to access the Azure Key Vault.
Figure 6: Key Vault Permission to Access App
Figure 7: Key Vault Permission to Access App
Create an Azure Key Vault.
Figure 8: Create Azure Key Vault
Figure 9: Create Azure Key Vault
4.2 Prerequisites
To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure CDC must have to authenticate the Fortanix DSM group with Azure Key Management Services.
The API permissions of the app to access the Key Vault. Refer to Figures 6 and 7 above for more details.
Adding the app to the Access Policy of the Key Vault. Refer to Figure 9 above for more details.
NOTE
The access policies for the app registered to the key vault should include the following permissions: "
GET
", "LIST
", "UPDATE
", "CREATE
", "IMPORT
", "DELETE
", "RECOVER
", "BACKUP
", "RESTORE
", "PURGE
".Assign the Key Vault Contributor and Key Vault Crypto Officer roles to the app registration.
Ensure the user performing these operations has sufficient privileges. For more information, refer to https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide.
In the Azure portal, open your Key Vault.
Navigate to Access Control (IAM) → Add → Add role assignment.
In the Add role assignment window, select the Role as Key Vault Contributor.
Click the Next button.
Add your app registration.
Click Review+assign to assign the role to the selected app registration.
Figure 10: Assign Key Vault Contributor Role
Repeat the above steps for the Key Vault Crypto Officer role as well. Select the Key Vault Crypto Officer role in Step c.

Figure 11: Assign Key Vault Crypto Officer Role
4.3 Configure the Azure CDC Group
Perform the following steps to create an Azure KMS group:
Navigate to the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to create a new Azure KMS group.
In the Add new group form, do the following:
Enter a name and description for your group.
Click the LINK HSM/EXTERNAL KMS button to select the Azure KMS type, so that Fortanix DSM can connect to it.
Select the Azure Key Vault option from the drop-down.
In the Choose Service field, select from the following Azure services that you want to authenticate against and establish a successful key vault connection. You can choose from the following Azure services:
global Azure
Azure for US Government
Select the “global Azure” option to authenticate and upload the key material to any non-US government Azure service, or select the “Azure for US Government” option to authenticate and upload key material to the specific Azure service set aside for the US government.
NOTE
To use Azure US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Refer to the Cloud Provider's documentation about access to these environments.
Use the credentials created in Section 4.1: Azure Application Configuration to set up an Azure-backed Fortanix DSM group. Azure subscriptions have a trust relationship with Azure AD.
In the Authentication section, enter the Azure KMS account credentials:Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
Client ID: Enter the Application ID/Client ID of the app registration you created. This value can be found on the app registration’s Overview screen.
Subscription ID: The Subscription ID is the ID of your Azure AD subscription containing the key vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details.
You can authenticate with Azure Key Vault using either of the following options:Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web-addressable location (using an HTTPS scheme). Client Secret is also referred to as an application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
Token authentication certificate configuration: Click the + ADD AUTHENTICATION CERTIFICATE button to upload a client certificate and private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key vault and vice versa. Ensure that the certificate file is in
cer
,pem
, orcrt
format.NOTE
Refer to Figure 3 and 5 in Section 4.1: Azure Application Configuration to get the Tenant ID, Client ID, and Client Secret.
Click the SAVE button.
Add a TLS configuration (optional). For more details, refer to Section 4.4: Add TLS Configuration (Optional).
Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM connects to Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick
and fetches the key vaults associated with the Subscription ID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign
.
4.4 Add TLS Configuration (Optional)
NOTE
If you are using a configuration such as a proxy for the Azure Key Vault connection, use this section to add certificates so that Fortanix DSM would allow the use of a custom certificate.
In the TLS configuration section, click + ADD AUTHENTICATION CERTIFICATE to add a certificate for authenticating the Azure Key Vault. Fortanix’s external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with Azure Key Vault.
Validate Host: Select the Validate Host check box to verify if the certificate that the Azure Key Vault provided has the same
subjectAltName
orCommon Name (CN)
as the hostname that the server certificate is coming from.You can select either of the following two certificates:
Global Root CAs: This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.
CLIENT CERTIFICATE and PRIVATE KEY: Upload a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
Custom CA Certificate: This option is used when you as an enterprise want to self-sign the certificate using your own internal CA.
CA CERTIFICATE: You can either upload the certificate file or copy the contents of the certificate in the textbox provided. You can override the default Global CA cert with a Custom CA Certificate for an Azure Key Vault group.
CLIENT CERTIFICATE and PRIVATE KEY: A Custom CA Certificate has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
Click the SAVE button.
4.5 Select Key Vault
Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Azure Managed HSMs only support HSM-protected keys.
NOTE
As of the Fortanix DSM release 4.6, we support Software-backed key vaults, HSM-backed key vaults, and Azure Managed HSM Pool.
For more details about the types of resources that Azure Key Vault provides, refer to Azure documentation.
When the Azure KMS is connected successfully, it will enable the Key vault type section.
From the list of key vaults for the Subscription ID entered, select Standard or Premium. The Standard key vault encrypts with a Software-protected key only, and the Premium key vault includes HSM-protected keys that can be created as Software-protected or Hardware-protected keys.
Select a key vault from the drop down list for the selected Key vault type.
Click the SAVE button to save the group.
4.6 Not Connected Scenario
When you click the TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Key vault. If that happens, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.
4.7 HSM/KMS Tab
The group details now include an HSM/KMS tab displaying information about your KMS.
The HSM/KMS tab displays the details of the Azure Service Type, including the connection details of the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name. You can edit these connection details here.
After editing and saving, click the TEST CONNECTION button to check the connection.
Click the SYNC KEYS button to sync keys from the configured Azure KMS to the Azure CDC group.
4.8 Groups Table View
After saving the group details, you can view the list of all groups and notice the special symbol next to the newly created group. This symbol indicates that it is an Azure CDC group, distinguishing it from other groups.
4.9 User's View
Navigate to the Users menu item in the DSM left navigation bar and click the user that says “You” on the Users page to view the user’s detailed view.
The detailed view shows all the groups the user belongs to and indicates which groups are mapped to Azure KMS, displaying their status as "connected" or "not connected."
5.0 Azure Key Vault Group BYOK and Cloud Native Key Management
For details on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the Fortanix DSM - Azure Key Vault Cloud Native Key Management.
For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the Fortanix DSM - Azure KMS Bring Your Own Key.