Fortanix DSM - Azure Key Vault BYOK (Bring Your Own Key)

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) and Azure Key Vault (AKV) Bring Your Own Key (BYOK) User Guide. This document describes how to perform BYOK lifecycle management in AKV using Fortanix DSM.

The Fortanix solution for AKV offers complete Bring Your Own Key (BYOK), as explained in this article, as well as Cloud Native Key Management (CNKMS) with complete lifecycle management for automation.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, or Bring Your Own Encryption (BYOK) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

3.0 Azure Key Vault Group Setup and Cloud Native Key Management

For details on how to set up an Azure-backed group in Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Setup.

For details on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Cloud Native Key Management.

4.0 Fortanix Azure BYOK Workflows Overview

• Generate key: Navigate to a source key in Fortanix DSM and copy the key into a Azure CDC group to create a linked key and a BYOK key in Azure Key Vault.
• Rotate source key: Rotate the source key that was originally generated in "Fortanix DSM" and click “rotate linked/copied keys”.
• Disable/Enable: Navigate to the detailed view of the key in the Azure CDC group and disable or enable it from Fortanix DSM.
• Soft delete a key: Navigate to the detailed view of an Azure virtual key and in the AZURE KEY DETAILS tab click the link SOFT DELETE KEY.

5.0  Fortanix Data Security Manager Azure KMS Security Objects

You can generate a key in a configured Azure KMS (Software-backed or HSM-backed Key Vault).

5.1 Bring Your Own Key - Copy Key to Azure Key Vault

Use this option when you want to generate a key in Fortanix DSM and then import the key into the configured Azure Key Vault. The copy key to the Azure feature will copy a security object from one regular Fortanix DSM group to another regular/Azure KMS Fortanix DSM group. This feature has the following advantages:

• Maintains a single source of key material while using/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.
• Maintains a link of various copies of the same key material to the source key for audit and tracking purposes.

The following actions will happen as part of the copy key operation:

• A new key will be created in the target group: The new key will have the same key material as the original.
• The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
• The Source key will also have basic metadata-based information about the linked keys such as:
  • Copied by <user-name/app id>
  • Date of Copy <time stamp>
  • Target copy group name

To copy a key from a regular Fortanix DSM group to an Azure CDC group:

1. Generate an RSA or EC key in Fortanix DSM, if the key is not already present.
2. Go to the detailed view to a key and click the NEW OBJECT icon  on the far right of the screen. 
3. In the menu that appears, click the COPY KEY button. 
   NOTE

   • The allowed key types for an Azure key generated using the copy key workflow are:
     • Standard key vault:
       • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
       • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
     • Premium key vault:
       • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
       • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, and ECC_NIST_P521).
   • The RSA and EC key to be copied must have the “Export” permission enabled or the copy key operation will fail.
   • The COPY KEY button will be disabled for all the Azure KMS virtual keys.
4. In the COPY KEY window, update the name of the key if required using the edit icon.
5. Click Import key to HSM/External KMS check box to filter the groups to show only HSM/AWS KMS/Azure KMS groups. Select the Azure CDC group for the new key into which the copied key should be imported.
6. If the key vault associated with the Azure CDC group is a Premium key vault, then in the Create key as section, select Software protected or Hardware protected. For the Standard key vault, the key is created as software-protected by default.
7. Enter the Azure key name.
   NOTE

   If the Azure key name already exists in the Azure Key Vault, then the old key will get rotated automatically.
8. Update KEY PERMISSIONS if you want to modify the permissions of the key. 
   NOTE

   Only the permissions that are already present in the source key can be modified. If some permissions are missing on the source key, they cannot be added to the copied key.
9. Click CREATE COPY to create a copy of the key as shown in the figure above.
10. The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. 
    NOTE

    If a user wants to maintain a copy of the key material in Fortanix DSM, then the user can import a regular RSA/EC key into Fortanix DSM using the “import key” workflow and then copy this key into Azure Key Vault using the “copy key” workflow.

5.2 Bring Your Own Key - Import Key

This action will import the configured key type in the software-backed Azure Key Vault directly, and it will be represented as a virtual key in the corresponding Azure CDC group. This means that the virtual key in the Azure CDC group will point to the actual key in the Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material. The import action will not store a copy of the key material in Fortanix DSM.

1. Click the Security Objects  tab.
2. Click to create a new Security Object. 
3. In the Add New Security Object form enter a name for the Security Object (Key).
4. Select the This is an HSM/external KMS object check box. This will show the AWS CDC configured groups in the Select group list.
5. In the AWS group list, select the Azure CDC group into which the keys will be generated. The keys will be generated into the region that was selected in the Azure CDC group. 
6. Select IMPORT to initiate the import key in Azure workflow.
7. If the key vault associated with the Azure group is a Premium key vault, then in the Create key as section, select Software protected keys or Hardware protected keys. For the Standard key vault, the key is created as software-protected by default.
8. Enter the Azure key name.
9. Select the key type for the new Azure KMS key.
   
   NOTE

   The allowed key type for an Azure key generated using the Import Key workflow are.

   • Standard key vault:
     • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
     • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
   • Premium key vault:
     • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
     • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, and ECC_NIST_P521).
10. Sometimes keys of type RSA that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios select the check box The key has been encrypted.
    1. Next enter or select a Key ID or SO name in the Select Key Encryption Key section which will be used to unwrap (decrypt) the encrypted key in the file which will later be stored securely in Fortanix DSM. This key should have already been created or imported into Fortanix DSM.
11. Click UPLOAD A FILE to upload the key file in Raw, Base64, or Hex format.
12. Enter the key Expiration Date and key Activation Date.
13. Select the permitted key operations and any key tags if required using ADD TAG.
14. Click IMPORT to import the key.
15. The key is successfully imported.

5.3 Sync Keys

When you edit the Azure Key Vault connection details in the Azure CDC group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to Azure Key Vault and gets all the keys available. Fortanix DSM then stores them as virtual keys.

5.4 Attributes/Tags Tab

This tab will have all the tags of the software-backed Azure key. You can add new tags using the NEW TAG button.

5.5 Azure Key Details

This tab displays details of the Azure key properties such as Resource ID and Key version number.

The AZURE KEY DETAILS tab also contains SOFT-DELETE KEY option, which is explained in Section 5.8.

5.6 Security Objects Table View

After you add new Azure keys, go to the Security Objects page to view all the security objects from all the groups (Regular and HSM/External KMS).

In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an Azure Key Vault, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an Azure KMS group or not.

5.7 Deactivate a Key in Azure CDC Group

When you deactivate an Azure key in Fortanix DSM, the action will deactivate the virtual key in Fortanix DSM and the actual key in the configured Azure Key Vault KMS will be disabled.

To deactivate a key:

1. Select the Azure key to deactivate.
2. In the security object detailed view, scroll down, and click the DEACTIVATE button.

5.8 Soft-Delete a Key in Azure Key Vault

Soft delete deletes a key from an Azure Key Vault which was already scanned in the Azure KMS Group in Fortanix DSM with a link to recover this key. Now, when you click SYNC KEYS in Fortanix DSM:

• The status of the key in the Azure KMS group will become “soft-deleted in Azure”.
• The key can only be recovered for a retention period set in the key vault.
• If you choose to recover this key, the virtual key will become active as well as the actual key will become active in the Azure Key Vault.
• If you do not recover the key within the retention period, the Azure key vault will automatically purge and delete the key permanently.

To delete a key from Azure Key Vault:

1. Go to the detailed view of an Azure KMS virtual key and select the AZURE KEY DETAILS tab.
2. Click the link SOFT DELETE KEY. 
3. In the Soft Key Deletion in Azure Key Vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted.”
4. Click SOFT DELETE KEY button to mark the key for deletion.
5. You can recover the deleted key any time before the retention period ends using the RECOVER DELETED KEY link on the top of the screen in the detailed view of the virtual key. When the “Recover Key“ link is clicked, the key will be recovered back in Azure Key Vault with all its versions. 

5.9 Delete a Key in Azure CDC Group

The DELETE KEY button will be enabled when the key material has been purged in Azure. When you click DELETE KEY, Fortanix DSM will remove the key backup blob, and hence the key cannot be restored.

To delete a virtual key:

1. Select the Azure key to delete.
2. In the security object detailed view, scroll down and click the DELETE KEY button.

6.0 Rotate a Key In Azure CDC Group

6.1 Rotating Keys in Fortanix DSM Source Group

Prerequisites: This scenario requires creating a regular Fortanix DSM group with source keys copied to the Azure CDC group.

When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then the user is given the option to select the linked keys for the key rotation. If these linked keys are part of an Azure CDC group, rotating the linked keys also rotates the keys in Azure Key Vault by making nested copies of the keys in the configured Azure Key Vault.

1. Click ROTATE KEY in the detailed view of a Fortanix DSM Source Key.
2. In the KEY ROTATION window, select the Rotate linked keys check box.
3. Select the Azure Virtual Keys that need to be rotated along with the Fortanix DSM source key and click ROTATE KEY to rotate the linked key.
4. Once the keys are rotated, click the OK button.

You can also schedule a key rotation policy for the Fortanix DSM source key such that the linked Azure keys that are copies of the source keys are also periodically rotated automatically.
To schedule a key rotation policy for the source key:

1. Go to the detailed view of the source key in the Fortanix DSM UI.
2. In the detailed view, click the KEY ROTATION tab and click the ADD POLICY button.
3. Enter the key rotation schedule by specifying the rotation frequency, start date, and time.
4. To deactivate the old key after key rotation, select the Deactivate original key after the rotation check box.
5. To rotate the linked copied keys, select the Rotate all copied keys check box.
6. Click SAVE POLICY to save the policy.

For more information on the key rotation policy, refer to the User’s Guide: Key Lifecycle Management.

6.2 Rotate Azure Native Key to Fortanix DSM Owned Key

When an Azure KMS virtual key whose key material is owned by Azure KMS is rotated, the user is given the option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in Azure KMS, which has the key material of the Fortanix DSM-backed key. As a result, the Azure KMS virtual key is backed by a Fortanix DSM Source key.

To rotate a virtual key with Fortanix DSM backed key:

1. Click ROTATE KEY in the detailed view of an Azure virtual key.
2. In the Key Rotation window, select the Rotate to DSM key check box.
3. Select the Fortanix DSM group that contains the source key.
4. Select the source key and click the ROTATE KEY button. 

The Virtual key is successfully rotated and backed by the source key. To confirm go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.