Fortanix DSM - Azure Key Vault Cloud Native Key Management

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) Azure Key Vault (AKV) Cloud Native Key Management (CNKMS) User Guide. This article describes how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM.

The Fortanix solution for AKV offers complete Cloud Native Key Management (CNKMS), as explained in this guide, as well as Bring Your Own Key (BYOK) with complete lifecycle management for automation.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, or Bring Your Own Encryption (BYOE) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

3.0 Fortanix Azure Key Vault CNKMS Workflows Overview

  • Generate: Navigate to a CDC group, and select "Generate in Azure", select a supported algorithm type and key size, and click Generate to generate the key in the Azure Key Vault key repository.
  • Rotate: Rotate the key that was originally generated in Azure Key Vault by navigating to it in the Azure CDC group. Otherwise, if the source is "Fortanix DSM", see the Azure BYOK User Guide. 
  • Disable/Enable: Navigate to the detailed view of the key in the Azure CDC group and disable or enable it from Fortanix DSM. 
  • Schedule/Soft Key Deletion: Azure will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (set at Key Vault, default 90 Days). Additionally, there is an optional “Purge Protection” that you can enable using Azure to avoid manual Purge of keys, minimum 7 Days)
    (More info: https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview)
    Navigate to the detailed view of the key in the Azure CDC group and in the Azure KEY DETAILS tab, schedule the key for deletion.

4.0  Fortanix Data Security Manager Azure KMS Security Objects

4.1  Create a Key in Azure CDC Group - Generate (Software-Backed Key Vault and HSM-Backed Key Vault)

You can generate a key in a configured Azure KMS (Software-backed or HSM-backed key vault).

4.1 1  Generate a Key

This action will generate the configured key type in the software-backed Azure Key Vault, and it will be represented as a virtual key in the corresponding Azure CDC group. This means that the virtual key in the Azure CDC group will point to the actual key in the Software-backed/HSM-backed Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.

In your Fortanix DSM console, follow the process below to create a new key:

  1. Click the Security Objects AWS_48.png tab.
  2. Click Add.pngto create a new Security Object. 
  3. In the Add New Security Object form, enter a name for the Security Object (Key).
  4. Select the This is an HSM/external KMS object check box. This will show the Azure CDC configured groups in the Select group list.
  5. In the Azure group list, select the Azure group into which the keys will be generated. The Key vault name associated with the Azure group is displayed. 
  6. Select GENERATE IN AZURE to initiate the generate key in Azure workflow.
  7. If the key vault associated with the Azure group is a Premium key vault, then in the Create key as section, select Software protected keys or Hardware protected keys. For the Standard key vault, the key is created as software-protected by default.
  8. Enter the Azure key name: The Azure key name is the key name that will be stored in Azure Key Vault. The Azure key name will be used to correlate between different versions of a key. All the key versions will have the same Azure key name.
  9. Select the key type for the new Azure KMS key.
    NOTE
    The allowed key types for an Azure key generated using the Generate Key button are:
    • Standard key vault:
      • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
      • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
    • Premium key vault:
      • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
      • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, and ECC_NIST_P521).
    These key types can further be restricted by setting a crypto policy for the account or group. For more details about the crypto policy, please refer to the article: https://support.fortanix.com/hc/en-us/articles/360042064051-User-s-Guide-Crypto-Policy.

    The key types can also be restricted by setting a Key metadata policy for the group. For more details about the Key metadata policy, refer to the article:  https://support.fortanix.com/hc/en-us/articles/4420883272596-User-s-Guide-Key-Metadata-Policy

  10. Enter the Key size.
  11. Enter the key Activation Date and key Deactivation Date
  12. Select the permitted key operations under the Key operations permitted section.
  13. Add any key tags if required using ADD TAG.
  14. Click the GENERATE button to generate the key in Azure. 
  15. The new Azure Key is created and represented with a special symbol Group_7.png to denote it is of type "External KMS". In the detailed view of the Azure key, you will notice the following things:
    • The “key state” - whether the key is in a pre-active/active state based on the “activation date” selected during the key creation. 
    • The Azure Key Name appears on the top.
    • The group to which it belongs (in the Group field). It also shows if the group is mapped to Azure Key Vault or not using the special icon AWS_46.png.
    • How the key was created (in the Created by field). If it is an Azure KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
  16. The new key will be added to the Security Objects table. 
    TIP
    • You can also access the new key from the Group detailed view from the SECURITY OBJECTS tab.
    • You can also add a new key from the Group detailed view from the SECURITY OBJECTS tab, click ADD SECURITY OBJECT, and follow steps 3-13 above.
    Go to the AZURE KEY DETAILS tab to see the properties of the Azure Key such as the Version Number and Resource ID of the key.
    Log in to the Azure console and verify if the new key is generated successfully.
    NOTE
    When a new key is created in the Azure Key Vault from Fortanix DSM, a backup blob for the key (along with its key versions) will be downloaded from Azure and saved into Fortanix DSM when a SYNC is performed on the group.

4.2  Sync Keys

When you edit the Azure Key Vault connection details in the Azure CDC group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to Azure Key Vault and gets all the keys available. Fortanix DSM then stores them as virtual keys.

NOTE

  • When keys are synced with Azure Key Vault, an encrypted backup of the newly discovered keys from the Key Vault is escrowed into Fortanix DSM. In the event of a key being purged from the Key Vault, this escrow can be used to restore the key. The actual key material for those keys is always stored in Azure Key Vault.
  • Clicking SYNC KEYS only returns the keys from Azure Key Vault that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
  • The time taken to sync keys from the Azure Key Vault to DSM is a function of the number of keys in the Azure Key Vault and the network latency between the Azure location and DSM. It can take several minutes if there are hundreds of keys and significant network latency.

4.3 Attributes/Tags Tab

This tab will have all the tags of the software-backed Azure key. You can add new tags using the NEW TAG button.

4.4 Azure Key Details

This tab displays details of the Azure key properties such as Resource ID and Key version number.

The AZURE KEY DETAILS tab also contains SOFT-DELETE KEY option, which is explained in Section 5.8.

4.5 Security Objects Table View

After you add new Azure keys, go to the Security Objects page to view all the security objects from all the groups (Regular and HSM/External KMS).

In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an Azure Key Vault, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an Azure KMS group or not.

4.6 Deactivate a Key in Azure CDC Group

When you deactivate an Azure key in Fortanix DSM, the action will deactivate the virtual key in Fortanix DSM and the actual key in the configured Azure Key Vault KMS will be disabled.

To deactivate a key:

  1. Select the Azure key to deactivate.
  2. In the security object detailed view, scroll down, and click the DEACTIVATE button.

4.7 Soft Delete a Key in Azure Key Vault

Soft delete deletes a key from an Azure Key Vault which was already scanned in the Azure KMS Group in Fortanix DSM with a link to recover this key. Now, when you click SYNC KEYS in Fortanix DSM:

  • The status of the key in the Azure KMS group will become “soft-deleted in Azure”.
  • The key can only be recovered for a retention period set in the key vault.
  • If you choose to recover this key, the virtual key will become active as well as the actual key will become active in the Azure Key Vault.
  • If you do not recover the key within the retention period, the Azure key vault will automatically purge and delete the key permanently.

To delete a key from Azure Key Vault:

  1. Go to the detailed view of an Azure KMS virtual key and select the AZURE KEY DETAILS tab.
  2. Click the link SOFT DELETE KEY
  3. In the Soft Key Deletion in Azure Key Vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted.
  4. Click SOFT DELETE KEY button to mark the key for deletion.
  5. You can recover the deleted key any time before the retention period ends using the RECOVER DELETED KEY link on the top of the screen in the detailed view of the virtual key. When the “Recover Key“ link is clicked, the key will be recovered back in Azure Key Vault with all its versions. 

NOTE

  • When the retention period ends, the key gets purged and deleted permanently. However, even if the key is purged in Azure Key Vault, if the key was imported from Fortanix DSM, then the same key material can be re-imported into Azure Key Vault from the backup blob.
  • In the Azure Key Vault, when a key is deleted, all its versions get deleted along with it and when restored, all its versions are restored together.

4.8 Delete a Key in Azure CDC Group

The DELETE KEY button will be enabled when the key material has been purged in Azure. When you click DELETE KEY, Fortanix DSM will remove the key backup blob, and hence the key cannot be restored.

To delete a virtual key:

  1. Select the Azure key to delete.
  2. In the security object detailed view, scroll down and click the DELETE KEY button.

5.0 Rotate a Key in Azure CDC Group

5.1  Rotating Azure Native Key* with Another Native Key

*Native key is one where the key material was generated by Azure Key Vault.

When you rotate a virtual key in an Azure KMS group, the action will rotate the key inside the Azure Key Vault by generating another new version of the key within the configured Azure Key Vault in a nested way by moving the key alias from the old key to the new key.

To rotate a key in Azure Key Vault:

  1. Select the Azure virtual key to rotate.
  2. In the detailed view of the Azure virtual key, click the ROTATE KEY button. 
  3. In the Key Rotation window, click the ROTATE KEY button to rotate the virtual key. 
    A new rotated key is now generated.

5.2  Rotate Azure Native Key to Fortanix Data Security Manager Owned Key

When an Azure KMS virtual key whose key material is owned by Azure KMS is rotated, the user is given the option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in Azure KMS, which has the key material of the Fortanix DSM-backed key. As a result, the Azure KMS virtual key is backed by a Fortanix DSM Source key.

To rotate a virtual key with Fortanix DSM backed key:

  1. Click ROTATE KEY in the detailed view of an Azure virtual key.
  2. In the Key Rotation window, select the Rotate to DSM key check box.
  3. Select the Fortanix DSM group that contains the source key.
  4. Select the source key and click the ROTATE KEY button. 

The Virtual key is successfully rotated and backed by the source key. To confirm go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.

For details on how to set up an Azure Key Vault-backed group in Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Setup.

For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Bring Your Own Key.

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful