Overview
There are several ways to export SDKMS keys to major cloud providers that support BYOK for server-side encryption. This document describes the process for importing HSM-protected keys to Key Vault using Azure’s new method.
Actions to be performed on Azure
- Create a Key Vault if you do not already have one.
NOTE: This Key Vault should have premium subscription.
- Create an application (app) and add this app in the access policy for the Key Vault that you created.
- In the Key Vault, generate a key (referred to as a Key Exchange Key (KEK)). The KEK must be an RSA-HSM key that has only the
importkey operation. Only Key Vault Premium SKU supports RSA-HSM keys. NOTE: As of now you cannot create this key using Azure Key Vault UI as the UI does not allow setting “import” permission. This limitation will go away when the feature is generally available. For now use Azure CLI as follows::
az keyvault key create --kty RSA-HSM --size 2048 --name <KEK Name> --ops import --vault-name <Vault name> - Make note of the following information:
- KEK Identifier (Full URL)
- Key Vault name
Actions to be performed on SDKMS
Setup App
You will need to interact with SDKMS using an app. If you already have an app, then note the API key of the app, else create a new app. Make sure that the app you are going to use, has access to the group where the SDKMS key exists that you want to use for this BYOK operation. For instructions of how to add a group or app please refer to Getting Started Guide.
Fortanix SDKMS Azure BYOK tool
Log in to Fortanix support portal and download the Fortanix SDKMS Azure BYOK tool.
Prerequisites
In order to run Fortanix SDKMS Azure BYOK tool, you need following:
- Install sdkms-cli.
You can do this by running the command:pip install sdkms-cli
- Install Azure CLI:
Check https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-apt?view=azure-cli-latest
Running SDKMS Azure BYOK Tool
You can run this tool from any machine that can reach your SDKMS cluster over network. This tool performs following actions:
- Download the KEK public key from Azure Key Vault.
- Import this KEK public key into SDKMS.
- Generate an ephemeral AES 256 wrapping key in SDKMS.
- Wrap the ephemeral AES 256 wrapping key using KEK public key.
- Generate a new target key in SDKMS or use an existing one.
- Wrap your target key in SDKMS with ephemeral AES 256 wrapping key.
- Generate a BYOK file that Azure needs for performing the import operation.
- Perform the BYOK operation using the BYOK file generated.
You will need to provide the tool your Azure credentials, which will be used to authenticate to Azure and perform interactions with Azure Key Vault. You can do following to get these credentials:
- Log in to https://portal.azure.com.
- Register an App.
- Search App registrations in the search bar.
Figure 1: Search App Registrations - Register an application.
- Enter App name and then click the app to register.
Figure 2: Register App - Click Overview of app and note the Application (client) ID and Directory (tenant) ID.
Figure 3: Note App Overview details
- Enter App name and then click the app to register.
- Search App registrations in the search bar.
- Click Certificate & secrets and create a New client secret.
Figure 4: Add new Client Secret - Click API permissions, click Add a permission and add Azure Key Vault.
Figure 5: Add API Permissions
The tool takes the following arguments:
|
--azure-client-id |
User name, service principal, or managed service identity ID / Application ID |
|
--azure-client-secret |
Azure client secret |
|
--azure-tenant-id |
The AAD tenant |
|
--azure-kek-id |
Azure KEK Identifier (Full URL) |
|
--sdkms-api-endpoint |
SDKMS API Endpoint |
|
--sdkms-api-key |
SDKMS API Key |
|
--target-key-size |
RSA key size 2048, 3072, 4096 |
|
--target-key-name |
Name of the target key in Azure Key Vault |