Exporting Fortanix Data Security Manager keys to Cloud Providers for Bring Your Own Key (BYOK) - Azure Key Vault

1.0  Overview

There are several ways to export Fortanix Data Security Manager (DSM) keys to major cloud providers that support BYOK for server-side encryption. 

2.0  Prerequisite

Download Fortanix DSM CLI from here.

3.0  Configuration

3.1  Azure App Configuration

You will need to provide the tool your Azure credentials, which will be used to authenticate to Azure and perform interactions with Azure Key Vault. You can do the following to get these credentials:

  1. Log in to https://portal.azure.com/.
  2. Register an application. azure_byok1.png Figure 1: Initiate App Registration azure_byok2.png Figure 2: Register an App azure_byok3.png Figure 3: App Registered
  3. Upload a client certificate for the above application. Image_004_.pngFigure 4: Client Certificate for the App
    Create a client secret for the above application.
    Image_002_.pngFigure 5: Client Secret for the App
  4. Give the App permission to access the Azure Key Vault. azure_byok4.1.png Figure 6: Key Vault Permission to Access App
  5. Create an Azure Key Vault. azure_byok5.1.png Figure 7: Create Azure Key Vault
    Figure 8: Create Azure Key Vault
  6. Add the application in the Access Policy of the Key Vault. azure_byok8.png Figure 9: Add Access Policy azure_byok9.2.png Figure 10: Access Policy Added

3.2  Fortanix Data Security Manager Configuration

  1. Log in to Fortanix DSM ( https://<fortanix_dsm_url>/ ).
  2. Create an account in Fortanix DSM.
  3. Create a group in Fortanix DSM account.
  4. Create an app in Fortanix DSM.

 Refer to the Fortanix Getting Started Guide for instructions on how to do the Steps 1-4 above.

Ensure that the app you are going to use, has access to the group where the DSM key exists that you want to use for this BYOK operation.


4.0  Fortanix Data Security Manager with Azure Key Vault - Using Azure Key Vault Plugin

  1. Go to the Fortanix DSM home page and click the Plugins icon. sdkms_aws_byok10.png Figure 11: Plugins
  2. In the Plugins page, click the PLUGIN LIBRARY tab and then click the Self-Defending KMS-Azure Bring Your Own Key (BYOK) tile to load the associated plugin page with detailed information about the plugin, common use cases, setup, and format of the plugin inputs and outputs. azure_byok13.png Figure 12: Plugin Library
  3. In the "Self-Defending KMS-Azure Bring Your Own Key (BYOK) plugin" page, to install a plugin the user needs to click the GET PLUGIN button to go to the plugin creation page. azure_byok14.png Figure 13: Get Plugin
  4. Review the plugin name and assign it to a group, and then click Save. azure_byok15.png Figure 14: Review Plugin Details
  5. Now go to the detailed view of the plugin, where you can also test the plugin's request and response using the Test Plugin text box where you can paste a sample request from the plugin code and see the response in the Test output section. To configure and run the plugin click the INVOKE PLUGIN button. sdkms_aws_byok14.png Figure 15: Invoke Plugin
    • Tenant_id is “Directory ID of Vault”.
    • Client_ID and Client_secret are defined in Step 3 in Section 3.1.
    For more request and response operations go to Fortanix DSM Plugin Library -> <plugin-name> -> OVERVIEW page as shown in Figure 15.

For more details on how to use the Plugin Library, see the article https://support.fortanix.com/hc/en-us/articles/360041950371-User-s-Guide-Plugin-Library 


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful