1.0 Introduction
This article describes how to perform native key lifecycle management in Azure Key Vault (AKV) using Fortanix-Data-Security-Manager DSM Cloud Native Key Management Service (CNKMS).
The Fortanix solution for AKV offers complete CNKMS, as explained in this article, as well as Bring Your Own Key (BYOK) with complete lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, Bring Your Own Key (BYOK), or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.
3.0 Fortanix Azure Key Vault CNKMS Workflows Overview
Generate key: Navigate to a CDC group, select "Generate in Azure", select a supported algorithm type and key size, and click Generate to generate the key in the Azure Key Vault key repository.
Rotate: Rotate the key that was originally generated in Azure Key Vault by navigating to it in the Azure CDC group. Otherwise, if the source is "Fortanix DSM", refer to the Fortanix DSM - Azure Key Vault BYOK (Bring Your Own Key).
Disable/Enable: Navigate to the detailed view of the key in the Azure CDC group and disable or enable it from Fortanix DSM.
Soft key deletion: Azure will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (you can set it anywhere from 7 to 90 days in Azure Key Vault, with 90 days being the default). Additionally, you can enable “Purge Protection” using Azure to avoid manual Purge of keys. If enabled, a mandatory retention period is enforced for deleted keys. If disabled, the keys can be purged during the retention period (you can set the retention period anywhere from 7 to 90 days in Azure Key Vault, with 90 days being the default). For more information, refer to the Azure Key Vault soft-delete overview.
Navigate to the detailed view of the key in the Azure CDC group and in the Azure KEY DETAILS tab, schedule the key for deletion.
4.0 Fortanix DSM Azure KMS Security Objects
You can generate a key in a configured Azure KMS (Software-backed or HSM-backed key vault).
4.1 Create a Key in Azure CDC Group - Generate Key
This action will generate the configured key type in the software-backed or HSM-backed Azure Key Vault, and it will be represented as a virtual key in the corresponding Azure CDC group. This means that the virtual key in the Azure CDC group will point to the actual key in the Software/HSM-backed Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.
Perform the following steps to create a new key in Fortanix DSM UI:
Navigate to the Security Objects menu item in the DSM left navigation panel and click the + button on the Security Objects page to create a new key.
In the Add New Security Object form, do the following:
Enter a name for the Security Object (Key).
Select the This is an HSM/external KMS object check box to filter the groups to show only HSM/AWS KMS/Azure KMS groups in the Select group list.
In the Azure group list, select the Azure CDC group into which the keys will be generated. The keys will be generated in the region that was selected in the Azure CDC group.
Select the GENERATE IN AZURE radio button to initiate the generation of the key in the Azure workflow.
In the Create key as section,
Select Software protected or Hardware protected radio button if the key vault associated with the Azure CDC group is a Premium key vault.
For the Standard key vault, the key is created as software-protected by default.
Enter the required Azure key name. The Azure key name is the key name that will be stored in Azure Key Vault. The Azure key name will be used to correlate between different versions of a key. All the key versions will have the same Azure key name.
In the Choose a type section, select the key type for the new Azure KMS key.
NOTE
The allowed key types for an Azure key generated using the Generate Key workflow are:
Standard key vault:
RSA key pairs (RSA_2048, RSA_3072, and RSA_4096).
Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
Premium key vault:
RSA key pairs (RSA_2048, RSA_3072, and RSA_4096).
Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
These key types can further be restricted by setting a cryptographic policy for the account or group. For more details about the crypto policy, refer to the User's Guide: Crypto Policy.
The key types can also be restricted by setting a key metadata policy for the group. For more details about the Key metadata policy, refer to the User's Guide: Key Metadata Policy.
Enter the Key size.
Enter the key Activation Date and key Deactivation Date.
Select the permitted key operations under the Key operations permitted section.
Add any key tags if required using the ADD TAG button.
Add any attributes if required using the CUSTOM ATTRIBUTE button.
Click the GENERATE button to generate the key in Azure.
NOTE
Once the key is generated, perform the SYNC KEYS operation to ensure a backup blob for the key (along with its key versions) will be downloaded from Azure and escrowed into Fortanix DSM. For steps to sync keys, refer to Section 4.2: Sync Keys.
The new Azure Key is created and represented with a special symbol .png?sv=2022-11-02&spr=https&st=2025-07-16T06%3A44%3A50Z&se=2025-07-16T07%3A10%3A50Z&sr=c&sp=r&sig=1DUOzYQbjn4rVzx6tq6MlSVDiMQMvSpGSGckPp55V0E%3D){kind=small}
to denote it is of type "External KMS". In the detailed view of the Azure key, you will notice the following things:
The “key state” - whether the key is in a pre-active/active state based on the “activation date” selected during the key creation.
The Azure Key Name appears at the top.
The group to which it belongs (in the Group field). It also shows if the group is mapped to Azure Key Vault or not, using the special icon
(5).png?sv=2022-11-02&spr=https&st=2025-07-16T06%3A44%3A50Z&se=2025-07-16T07%3A10%3A50Z&sr=c&sp=r&sig=1DUOzYQbjn4rVzx6tq6MlSVDiMQMvSpGSGckPp55V0E%3D)
.How the key was created (in the Created by field). If it is an Azure KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
The new key will be added to the Security Objects table.
TIP
You can also access the new key from the Group detailed view from the SECURITY OBJECTS tab.
You can also add a new key from the Group detailed view from the SECURITY OBJECTS tab, click the ADD SECURITY OBJECT button, and follow Steps 2-3 above.
Go to the AZURE KEY DETAILS tab to see the properties of the Azure Key, such as the Version Number and Resource ID of the key.
Log in to the Azure console and verify if the new key has been generated successfully.
4.2 Sync Keys
Perform the following steps to sync the Azure keys as virtual keys in the Azure-backed DSM group:
Go to the Azure KMS group detailed view.
Click the HSM/KMS tab.
Click the SYNC KEYS button to import the new virtual keys.
Fortanix DSM will then connect to Azure Key Vault, fetch all available keys, and store them as virtual keys.
WARNING
When a new key is created in the Azure Key Vault from Fortanix DSM, a backup blob for the key (along with its key versions) will be downloaded from Azure and escrowed into Fortanix DSM ONLY when the SYNC KEYS operation is performed on the group. In the event of a key being purged from the Key Vault, this escrow can be used to restore the key. The actual key material for those keys is always stored in Azure Key Vault.
NOTE
Clicking SYNC KEYS only returns the keys from Azure Key Vault that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
The time taken to sync keys from the Azure Key Vault to DSM is a function of the number of keys in the Azure Key Vault and the network latency between the Azure location and DSM. It can take several minutes if there are hundreds of keys and significant network latency.
4.3 Attributes/Tags Tab
This tab contains all the attributes and tags of the Azure key. A tag serves as an optional metadata label for an Azure resource. You can add new tags using the NEW TAG button and add custom attributes using the ADD CUSTOM ATTRIBUTE button. These custom attributes are user-defined security object attributes that augment the security object's metadata.
4.4 Azure Key Details
This tab displays details of the Azure key properties, such as Resource ID and Key version number.
The AZURE KEY DETAILS tab also contains the SOFT DELETE KEY option, which is explained in Section 4.7: Soft-delete a Key in Azure Key Vault.
4.5 Security Objects Table View
After you add new Azure keys, navigate to the Security Objects menu item to view all the security objects from all the groups (Regular and HSM/External KMS).
In the table, you will notice that every key belongs to a group and some keys, which are virtual keys added from an Azure Key Vault, belong to a group with a special symbol (6).png?sv=2022-11-02&spr=https&st=2025-07-16T06%3A44%3A50Z&se=2025-07-16T07%3A10%3A50Z&sr=c&sp=r&sig=1DUOzYQbjn4rVzx6tq6MlSVDiMQMvSpGSGckPp55V0E%3D)
. The table shows all keys, whether they belong to an Azure CDC group or not.
4.6 Deactivate a Key in Azure CDC Group
When you deactivate an Azure key in Fortanix DSM, it deactivates the virtual key in Fortanix DSM and disables the actual key in the Azure KMS.
Perform the following steps to deactivate a key:
Select the Azure key that you want to deactivate.
In the detailed view of the key, scroll down and click the DEACTIVATE button.
4.7 Soft-delete a Key in Azure Key Vault
Soft-delete removes a key from an Azure Key Vault that was already scanned in the Azure CDC group in Fortanix DSM, with an option to recover it. The key recovery period is configurable when creating the Azure Key Vault. You can set it to any value between 7 and 90 days, with 90 days as the default. Once the 90-day period is reached, the key can no longer be recovered from the soft-deleted state.
When you click the SOFT DELETE KEY button in Fortanix DSM:
The status of the key in the Azure CDC group changes to “soft-deleted”.
The key can only be recovered for a retention period set in the key vault.
If you want to recover this key, both the virtual key in Fortanix DSM and the actual key in Azure Key Vault become active again.
If you do not want to recover the key within the retention period, the key will be deleted and it will enter the purge state.
Perform the following steps to soft-delete a key from Azure Key Vault:
Navigate to the detailed view of an Azure virtual key and click the AZURE KEY DETAILS tab.
Click the SOFT DELETE KEY button.
In the Soft Key Deletion in Azure key vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted” check box.
Click the SOFT DELETE KEY button to confirm the key for deletion.
You can recover the soft-deleted key any time before the retention period ends using the RECOVER DELETED KEY button at the top of the screen in the detailed view of the virtual key. When the “Recover Key“ button is clicked, the key will be recovered in Azure Key Vault with all its versions.
NOTE
When the retention period ends, the new key state will be reflected in the virtual key only after clicking SYNC KEYS.
When the retention period ends, the key cannot be recovered from the soft-deleted state and can only be purged.
When the retention period ends, the key gets purged and deleted permanently. However, even if the key is purged in Azure Key Vault, if the key was imported from Fortanix DSM, then the same key material can be re-imported into Azure Key Vault from the backup blob.
In the Azure Key Vault, when a key is deleted, all its versions get deleted along with it and when restored, all its versions are restored together.
4.8 Purge a Key in Azure Key Vault
Purging a key permanently removes a key from an Azure Key Vault, with an option to restore it. The key restoration period is configurable when creating the Azure Key Vault. You can set it to any value between 7 and 90 days, with 90 days as the default. Once the 90-day period is reached, the key can no longer be restored from the purged state.
When you click the PURGE DELETED KEY button in Fortanix DSM:
The status of the key in the Azure CDC group changes to “purged”.
The key can only be restored for a retention period set in the key vault.
If you want to restore this key, both the virtual key in Fortanix DSM and the actual key in Azure Key Vault become active again.
If you do not want to restore the key within the retention period, the Azure Key Vault will automatically purge and permanently delete the key.
Perform the following steps to purge a key from Azure Key Vault:
Navigate to the detailed view of an Azure virtual key and click the AZURE KEY DETAILS tab.
Click the PURGE DELETED KEY button.
In the Purge deleted key in Azure key vault window, select the confirmation “I understand that purging the key makes all data encrypted with it unrecoverable unless you later import the same key material from Fortanix DSM into the Azure key. The DSM source key is not affected by this operation.” check box.
Click the PURGE KEY button to confirm the key for deletion.
You can restore the purged key any time before the retention period ends using the RESTORE PURGED KEY button at the top of the screen in the detailed view of the virtual key. When the “Restore Key” button is clicked, the key will be restored in Azure Key Vault with all its versions.
NOTE
When the retention period ends, the new key state will be reflected in the virtual key only after clicking SYNC KEYS.
When the retention period ends, the key cannot be restored from the purged state and will be permanently deleted.
If the key is purged in Azure Key Vault, if the key was imported from Fortanix DSM, then the same key material can be re-imported into Azure Key Vault from the backup blob using the RESTORE PURGED KEY option. The backup blob will be available only if the SYNC KEYS operation was performed after creating the key.
In the Azure Key Vault, when a key is deleted, all its versions get deleted along with it and when restored, all its versions are restored together.
4.9 Delete a Key in Azure CDC Group
The DELETE KEY button will be enabled when the key can no longer be restored from the purged state. When you click DELETE KEY, Fortanix DSM will remove the virtual key permanently.
Perform the following steps to delete a virtual key:
Select the Azure key that you want to delete.
In the detailed view of the security object, scroll down and click the DELETE KEY button.
5.0 Rotate a Key in Azure CDC Group
The following section elaborates on key rotation in an Azure CDC group. A key rotation occurs when you aim to retire an encryption key and substitute it by generating a new cryptographic key.
NOTE
When performing key rotation in Azure Key Vault, including normal rotation, linked key rotation, or rotating to DSM key, specifying the Azure key name is no longer required. The rotated key automatically inherits the following details from the previous key version:
Azure Key Name
Azure Key Resource ID
Azure Key Version Number
Key Backup Information
5.1 Rotating Azure Native Key* with Another Native Key
*Native key is one where the key material was generated by Azure Key Vault.
When you rotate a virtual key in an Azure KMS group, the action will rotate the key inside the Azure Key Vault by generating another new version of the key within the configured Azure Key Vault in a nested way by moving the key alias from the old key to the new key.
Perform the following steps to rotate a key in Azure Key Vault:
Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of an Azure virtual key and click the ROTATE KEY button.
In the KEY ROTATION window, the Generate new key radio button is selected by default.
Click the ROTATE KEY button to rotate a virtual key.
On the next screen, select both the check boxes to confirm your understanding of the action. Click the PROCEED button.
A new rotated key is now generated.
NOTE
Once the key is rotated, perform the SYNC KEYS operation to ensure a backup blob for the newly created key (along with its key versions) will be downloaded from Azure and escrowed into Fortanix DSM. For steps to sync keys, refer to Section 4.2: Sync Keys.
5.2 Rotating Azure Native Key to Fortanix DSM Owned Key
When an Azure KMS virtual key whose key material is owned by Azure KMS is rotated, you are given the option to rotate the virtual key with a Fortanix DSM-backed key. When you select this option and perform the rotation, a new virtual key is created, with the corresponding key in Azure KMS, which has the key material of the Fortanix DSM-backed key. As a result, the Azure KMS virtual key is backed by a Fortanix DSM source key and becomes a BYOK key.
Perform the following steps to rotate a virtual key with a Fortanix DSM-backed key:
Navigate to the Security Objects menu item in the DSM left navigation panel to go to the detailed view of an Azure virtual key and click the ROTATE KEY button.
In the Key Rotation window, the Generate new key radio button is selected by default.
Select the Rotate to DSM key check box.
Select the Fortanix DSM group that contains the source key and then select the required source key from the respective drop down menu.
Click the ROTATE KEY button.
On the next screen, select both the check boxes to confirm your understanding of the action. Click the PROCEED button.
The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.
NOTE
Once the Azure virtual key is rotated, perform the SYNC KEYS operation to ensure a backup blob for the newly created key (along with its key versions) will be downloaded from Azure and escrowed into Fortanix DSM. For steps to sync keys, refer to Section 4.2: Sync Keys.
6.0 Azure Key Vault Group Setup and BYOK
For details on how to set up an Azure Key Vault-backed group in Fortanix DSM, refer to the Fortanix DSM - Azure Key Vault Setup.
For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the Fortanix DSM - Azure Key Vault Bring Your Own Key.