Fortanix DSM - Azure Key Vault CDC Group Setup

1.0 Introduction

Welcome to the Fortanix-Data-Security-Manager (DSM) Azure Key Vault (AKV) Key Management Service (KMS) User Guide. This article describes how to set up a Cloud Data Control (CDC) Group for Azure Key Vault using Fortanix DSM.

The Fortanix solution for AKV KMS offers complete Bring Your Own Key (BYOK) and lifecycle management and automation of Azure keys and allows users to manage all keys centrally and securely.

This article will walk you through setting up an Azure CDC group that will be used for both CNKMS and BYOK workflows.

1.1 Types of Azure BYOK Flows

  1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)

  2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)

  3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM

  4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, Bring Your Own Key (BYOK), Bring Your Own KMS (AWS XKS) or Bring Your Own Encryption (BYOE), or BYOE is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.

3.0 Obtaining Access to Fortanix DSM

Create an account in Fortanix DSM if you do not have one already. For more information, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI guide.

4.0 Fortanix DSM Azure CDC Group Setup

4.1 Azure Application Configuration

The tool requires Azure credentials to authenticate and interact with Azure Key Vault. Perform the following steps to obtain the necessary credentials:

  1. Log in to https://portal.azure.com/.

  2. Register an application (app).

    azure_byok1.png

    Figure 1: Initiate App Registration

    azure_byok2.png

    Figure 2: Register an App

    azure_byok3.png

    Figure 3: App Registered

  3. Upload a client certificate for the above application.  

    AzureKMS_UploadCert.png

    Figure 4: Client Certificate for the App

  4. Create a client secret for the above application.

    AzureKMS_ClientSecret.png

    Figure 5: Client Secret for the App

  5. Give the app permission to access the Azure Key Vault.  

    azure_byok4.1.png

    Figure 6: Key Vault Permission to Access App

    Azure_App_Perm.png

    Figure 7: Key Vault Permission to Access App

  6. Create an Azure Key Vault.  

    azure_byok5.1.png

    Figure 8: Create Azure Key Vault

    azure_byok6_1.png

    Figure 9: Create Azure Key Vault

4.2 Prerequisites

To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure CDC must have to authenticate the Fortanix DSM group with Azure Key Management Services.

  • The API permissions of the app to access the Key Vault. Refer to Figures 6 and 7 above for more details.

  • Adding the app to the Access Policy of the Key Vault. Refer to Figure 9 above for more details.

    NOTE

    The access policies for the app registered to the key vault should include the following permissions: "GET", "LIST", "UPDATE", "CREATE", "IMPORT", "DELETE", "RECOVER", "BACKUP", "RESTORE", "PURGE".

  • Assign the Key Vault Contributor and Key Vault Crypto Officer roles to the app registration.

    Ensure the user performing these operations has sufficient privileges. For more information, refer to https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide.

    1. In the Azure portal, open your Key Vault.

    2. Navigate to Access Control (IAM)AddAdd role assignment.

    3. In the Add role assignment window, select the Role as Key Vault Contributor.

    4. Click the Next button.

    5. Add your app registration.

    6. Click Review+assign to assign the role to the selected app registration.

    AzureKMS2.png

    Figure 10: Assign Key Vault Contributor Role

 Repeat the above steps for the Key Vault Crypto Officer role as well. Select the Key Vault Crypto Officer role in Step c.

Figure 11: Assign Key Vault Crypto Officer Role

4.3 Configure the Azure CDC Group

Perform the following steps to create an Azure KMS group:

  1. Navigate to the Groups menu item in the DSM left navigation bar and click the + button on the Groups page to create a new Azure KMS group.

  2. In the Add new group form, do the following:

    1. Enter a name and description for your group.

    2. Click the LINK HSM/EXTERNAL KMS button to select the Azure KMS type, so that Fortanix DSM can connect to it.

    3. Select the Azure Key Vault option from the drop-down.

    4. In the Choose Service field, select from the following Azure services that you want to authenticate against and establish a successful key vault connection. You can choose from the following Azure services:

      • global Azure

      • Azure for US Government

      Select the “global Azure” option to authenticate and upload the key material to any non-US government Azure service, or select the “Azure for US Government” option to authenticate and upload key material to the specific Azure service set aside for the US government.

      NOTE

      To use Azure US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Refer to the Cloud Provider's documentation about access to these environments.

    5. Use the credentials created in Section 4.1: Azure Application Configuration to set up an Azure-backed Fortanix DSM group. Azure subscriptions have a trust relationship with Azure AD.
      In the Authentication section, enter the Azure KMS account credentials:

      • Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.

      • Client ID: Enter the Application ID/Client ID of the app registration you created. This value can be found on the app registration’s Overview screen.

      • Subscription ID: The Subscription ID is the ID of your Azure AD subscription containing the key vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details.
        You can authenticate with Azure Key Vault using either of the following options:

      • Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web-addressable location (using an HTTPS scheme). Client Secret is also referred to as an application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.

      • Token authentication certificate configuration: Click the + ADD AUTHENTICATION CERTIFICATE button to upload a client certificate and private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key vault and vice versa. Ensure that the certificate file is in cer, pem, or crt format.

        NOTE

        Refer to Figure 3 and 5 in Section 4.1: Azure Application Configuration to get the Tenant ID, Client ID, and Client Secret.

    6. Click the SAVE button.

  3. Add a TLS configuration (optional). For more details, refer to Section 4.4: Add TLS Configuration (Optional).

  4. Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM connects to Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick  AWS_43a.png and fetches the key vaults associated with the Subscription ID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign  AWS_44a.png .

4.4 Add TLS Configuration (Optional)

NOTE

If you are using a configuration such as a proxy for the Azure Key Vault connection, use this section to add certificates so that Fortanix DSM would allow the use of a custom certificate.

In the TLS configuration section, click + ADD AUTHENTICATION CERTIFICATE to add a certificate for authenticating the Azure Key Vault. Fortanix’s external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with Azure Key Vault.

  1. Validate Host: Select the Validate Host check box to verify if the certificate that the Azure Key Vault provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.

  2. You can select either of the following two certificates:

    1. Global Root CAs: This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.

      • CLIENT CERTIFICATE and PRIVATE KEY: Upload a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.

    2. Custom CA Certificate: This option is used when you as an enterprise want to self-sign the certificate using your own internal CA.

      • CA CERTIFICATE: You can either upload the certificate file or copy the contents of the certificate in the textbox provided. You can override the default Global CA cert with a Custom CA Certificate for an Azure Key Vault group.

      • CLIENT CERTIFICATE and PRIVATE KEY: A Custom CA Certificate has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.

  3. Click the SAVE button.

4.5 Select Key Vault

Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Azure Managed HSMs only support HSM-protected keys.

NOTE

As of the Fortanix DSM release 4.6, we support Software-backed key vaults, HSM-backed key vaults, and Azure Managed HSM Pool.

For more details about the types of resources that Azure Key Vault provides, refer to Azure documentation.

  1. When the Azure KMS is connected successfully, it will enable the Key vault type section.

  2. From the list of key vaults for the Subscription ID entered, select Standard or Premium. The Standard key vault encrypts with a Software-protected key only, and the Premium key vault includes HSM-protected keys that can be created as Software-protected or Hardware-protected keys.

  3. Select a key vault from the drop down list for the selected Key vault type.

  4. Click the SAVE button to save the group.

4.6 Not Connected Scenario

When you click the TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Key vault. If that happens, it displays a “Not Connected” status with a warning symbol AWS_44a.png. You can save the details of the new connection details provided and edit them later.

4.7 HSM/KMS Tab

The group details now include an HSM/KMS tab displaying information about your KMS.

The HSM/KMS tab displays the details of the Azure Service Type, including the connection details of the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name. You can edit these connection details here.

After editing and saving, click the TEST CONNECTION button to check the connection.

Click the SYNC KEYS button to sync keys from the configured Azure KMS to the Azure CDC group.

4.8 Groups Table View

After saving the group details, you can view the list of all groups and notice the special symbol AWS_46.pngnext to the newly created group. This symbol indicates that it is an Azure CDC group, distinguishing it from other groups.

4.9 User's View

Navigate to the Users menu item in the DSM left navigation bar and click the user that says “You” on the Users page to view the user’s detailed view.

The detailed view shows all the groups the user belongs to and indicates which groups are mapped to Azure KMS, displaying their status as "connected" or "not connected."

5.0 Azure Key Vault Group BYOK and Cloud Native Key Management

For details on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the Fortanix DSM - Azure Key Vault Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the Fortanix DSM - Azure KMS Bring Your Own Key.