Welcome to the Fortanix Data Security Manager (DSM) Azure Key Vault (AKV) Cloud Native Key Management (CNKMS) User Guide. This article describes how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM.
The Fortanix solution for AKV offers complete Cloud Native Key Management (CNKMS), as explained in this guide, as well as Bring Your Own Key (BYOK) with complete lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, BYOK, or Bring Your Own Encryption (BYOE) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.
3.0 Fortanix Azure Key Vault CNKMS Workflows Overview
- Generate: Navigate to a CDC group, and select "Generate in Azure", select a supported algorithm type and key size, and click Generate to generate the key in the Azure Key Vault key repository.
- Rotate: Rotate the key that was originally generated in Azure Key Vault by navigating to it in the Azure CDC group. Otherwise, if the source is "Fortanix DSM", see the Azure BYOK User Guide.
- Disable/Enable: Navigate to the detailed view of the key in the Azure CDC group and disable or enable it from Fortanix DSM.
Schedule/Soft Key Deletion: Azure will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (set at Key Vault, default 90 Days). Additionally, there is an optional “Purge Protection” that you can enable using Azure to avoid manual Purge of keys, minimum 7 Days)
(More info: https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview)
Navigate to the detailed view of the key in the Azure CDC group and in the Azure KEY DETAILS tab, schedule the key for deletion.
4.0 Fortanix Data Security Manager Azure KMS Security Objects
4.1 Create a Key in Azure CDC Group - Generate (Software-Backed Key Vault and HSM-Backed Key Vault)
You can generate a key in a configured Azure KMS (Software-backed or HSM-backed key vault).
4.1 1 Generate a Key
This action will generate the configured key type in the software-backed Azure Key Vault, and it will be represented as a virtual key in the corresponding Azure CDC group. This means that the virtual key in the Azure CDC group will point to the actual key in the Software-backed/HSM-backed Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.
In your Fortanix DSM console, follow the process below to create a new key:
- Click the Security Objects tab.
- Click to create a new Security Object.
- In the Add New Security Object form, enter a name for the Security Object (Key).
- Select the This is an HSM/external KMS object check box. This will show the Azure CDC configured groups in the Select group list.
- In the Azure group list, select the Azure group into which the keys will be generated. The Key vault name associated with the Azure group is displayed.
- Select GENERATE IN AZURE to initiate the generate key in Azure workflow.
- If the key vault associated with the Azure group is a Premium key vault, then in the Create key as section, select Software protected keys or Hardware protected keys. For the Standard key vault, the key is created as software-protected by default.
- Enter the Azure key name: The Azure key name is the key name that will be stored in Azure Key Vault. The Azure key name will be used to correlate between different versions of a key. All the key versions will have the same Azure key name.
- Select the key type for the new Azure KMS key.
These key types can further be restricted by setting a crypto policy for the account or group. For more details about the crypto policy, please refer to the article: https://support.fortanix.com/hc/en-us/articles/360042064051-User-s-Guide-Crypto-Policy.
The key types can also be restricted by setting a Key metadata policy for the group. For more details about the Key metadata policy, refer to the article: https://support.fortanix.com/hc/en-us/articles/4420883272596-User-s-Guide-Key-Metadata-Policy
- Enter the Key size.
- Enter the key Activation Date and key Deactivation Date.
- Select the permitted key operations under the Key operations permitted section.
- Add any key tags if required using ADD TAG.
- Click the GENERATE button to generate the key in Azure.
- The new Azure Key is created and represented with a special symbol to denote it is of type "External KMS". In the detailed view of the Azure key, you will notice the following things:
- The “key state” - whether the key is in a pre-active/active state based on the “activation date” selected during the key creation.
- The Azure Key Name appears on the top.
- The group to which it belongs (in the Group field). It also shows if the group is mapped to Azure Key Vault or not using the special icon .
- How the key was created (in the Created by field). If it is an Azure KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
- The new key will be added to the Security Objects table.
Log in to the Azure console and verify if the new key is generated successfully.
Go to the AZURE KEY DETAILS tab to see the properties of the Azure Key such as the Version Number and Resource ID of the key.
4.2 Sync Keys
When you edit the Azure Key Vault connection details in the Azure CDC group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to Azure Key Vault and gets all the keys available. Fortanix DSM then stores them as virtual keys.
4.3 Attributes/Tags Tab
This tab will have all the tags of the software-backed Azure key. You can add new tags using the NEW TAG button.
4.4 Azure Key Details
This tab displays details of the Azure key properties such as Resource ID and Key version number.
The AZURE KEY DETAILS tab also contains SOFT-DELETE KEY option, which is explained in Section 5.8.
4.5 Security Objects Table View
After you add new Azure keys, go to the Security Objects page to view all the security objects from all the groups (Regular and HSM/External KMS).
In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an Azure Key Vault, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an Azure KMS group or not.
4.6 Deactivate a Key in Azure CDC Group
When you deactivate an Azure key in Fortanix DSM, the action will deactivate the virtual key in Fortanix DSM and the actual key in the configured Azure Key Vault KMS will be disabled.
To deactivate a key:
- Select the Azure key to deactivate.
- In the security object detailed view, scroll down, and click the DEACTIVATE button.
4.7 Soft Delete a Key in Azure Key Vault
Soft delete deletes a key from an Azure Key Vault which was already scanned in the Azure KMS Group in Fortanix DSM with a link to recover this key. Now, when you click SYNC KEYS in Fortanix DSM:
- The status of the key in the Azure KMS group will become “soft-deleted in Azure”.
- The key can only be recovered for a retention period set in the key vault.
- If you choose to recover this key, the virtual key will become active as well as the actual key will become active in the Azure Key Vault.
- If you do not recover the key within the retention period, the Azure key vault will automatically purge and delete the key permanently.
To delete a key from Azure Key Vault:
- Go to the detailed view of an Azure KMS virtual key and select the AZURE KEY DETAILS tab.
- Click the link SOFT DELETE KEY.
- In the Soft Key Deletion in Azure Key Vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted.”
- Click SOFT DELETE KEY button to mark the key for deletion.
- You can recover the deleted key any time before the retention period ends using the RECOVER DELETED KEY link on the top of the screen in the detailed view of the virtual key. When the “Recover Key“ link is clicked, the key will be recovered back in Azure Key Vault with all its versions.
4.8 Delete a Key in Azure CDC Group
The DELETE KEY button will be enabled when the key material has been purged in Azure. When you click DELETE KEY, Fortanix DSM will remove the key backup blob, and hence the key cannot be restored.
To delete a virtual key:
- Select the Azure key to delete.
- In the security object detailed view, scroll down and click the DELETE KEY button.
5.0 Rotate a Key in Azure CDC Group
5.1 Rotating Azure Native Key* with Another Native Key
*Native key is one where the key material was generated by Azure Key Vault.
When you rotate a virtual key in an Azure KMS group, the action will rotate the key inside the Azure Key Vault by generating another new version of the key within the configured Azure Key Vault in a nested way by moving the key alias from the old key to the new key.
To rotate a key in Azure Key Vault:
- Select the Azure virtual key to rotate.
- In the detailed view of the Azure virtual key, click the ROTATE KEY button.
- In the Key Rotation window, click the ROTATE KEY button to rotate the virtual key.
A new rotated key is now generated.
5.2 Rotate Azure Native Key to Fortanix Data Security Manager Owned Key
When an Azure KMS virtual key whose key material is owned by Azure KMS is rotated, the user is given the option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in Azure KMS, which has the key material of the Fortanix DSM-backed key. As a result, the Azure KMS virtual key is backed by a Fortanix DSM Source key.
To rotate a virtual key with Fortanix DSM backed key:
- Click ROTATE KEY in the detailed view of an Azure virtual key.
- In the Key Rotation window, select the Rotate to DSM key check box.
- Select the Fortanix DSM group that contains the source key.
- Select the source key and click the ROTATE KEY button.
The Virtual key is successfully rotated and backed by the source key. To confirm go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.
For details on how to set up an Azure Key Vault-backed group in Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Setup.
For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Bring Your Own Key.