There are several ways to export Self-Defending KMS keys to major cloud providers that support BYOK for server-side encryption.
Download Self-Defending KMS CLI from here.
Azure Key Vault supports direct import of key material. Generate an exportable AES key in Self-Defending KMS and export its value to upload the key to Azure.
1. Create a 256-bit AES key in Self-Defending KMS with the
EXPORT key operation enabled.
$ python sdkms-cli create-key --obj-type AES --key-size 256 --name Azure-Cloud-Master-Key --exportable
2. Export this key in your application environment.
$ python sdkms-cli export-object --name Azure-Cloud-Master-Key
You have to choose to upload your key either as a software or hardware key depending on your requirement.