Fortanix DSM - Azure Key Vault CDC Group Setup

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) Azure Key Vault (AKV) Cloud Native Key Management (CNKMS) User Guide. This article describes how to set up a CDC Group for Azure Key Vault using Fortanix DSM.

The Fortanix solution for Azure Key Vault (AKV) offers complete Cloud Native Key Management (CNKMS), and Bring Your Own Key (BYOK), with complete lifecycle management for automation.

This article will walk you through setting up a Cloud Data Control (CDC) Group which will be used for both CNKMS and BYOK Workflows.

To understand which solution between CNKMS, BYOK, or BYOE is right for you, see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

1.1 Overview

The Fortanix solution for AKV Key Management offers complete Bring Your Own Key (BYOK) and lifecycle management for the management and automation of Azure keys and allows users to manage all keys centrally and securely.

1.2 Types of Azure BYOK Flows

1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)
3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, or Bring Your Own Encryption (BYOE) is right for you, see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

3.0 Fortanix Data Security Manager Azure CDC Group Setup

3.1 Azure App Configuration

You will need to provide the tool with your Azure credentials, which will be used to authenticate to Azure and perform interactions with Azure Key Vault. You can do the following to get these credentials:

1. Log in to https://portal.azure.com/.
2. Register an application.  Figure 1: Initiate App Registration  Figure 2: Register an App Figure 3: App Registered
3. Upload a client certificate or create a client for the above application. Figure 4: Client Certificate for the App
   
   Figure 5: Client Secret for the App
4. Give the App permission to access the Azure Key Vault. Figure 6: Key Vault Permission to Access App  Figure 7: Key Vault Permission to Access App
5. Create an Azure Key Vault. Figure 8: Create Azure Key Vault
   
   Figure 9: Create Azure Key Vault
6. Add the application to the Access Policy of the Key Vault. Figure 10: Add Access Policy Figure 11: Access Policy Added

3.2 DSM and Azure Configuration Prerequisites

To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure Cloud Data Control (CDC) must have to authenticate the Fortanix DSM group with Azure Key Management Services.

• The app’s API permissions to access the Key Vault. Refer to Figure 6 and Figure 7 above for more details.
• Adding the app to the Access Policy of the Key Vault. Refer to Figure 10 above for more details.
  NOTE

  The access policies for the Azure app registered to the key vault should include the following permissions: "GET", "LIST", "UPDATE", "CREATE", "IMPORT", "DELETE", "RECOVER", "BACKUP", "RESTORE", "PURGE".
• Register the app as a key-vault contributor in role assignment.
  • In the Azure portal, open your Key Vault.
  • Click Access Control (IAM) -> Add -> Add role assignment.
  • In the Add role assignment panel, select the Role as Key Vault Contributor.
  
                                Figure 11: Add role assignment

3.3 Configure the Azure CDC Group

1. In the Fortanix DSM Groups page, click the button to create a new Azure KMS group. 
2. In the Add new group form,
   1. Enter a name and description for your group.
   2. Next, click the LINK HSM/EXTERNAL KMS button to choose the Azure KMS type, so that Fortanix DSM can connect to it.
   3. Select the HSM/external KMS type as Azure Key Vault in the drop down menu.
   4. In the Choose Service field, select from the following Azure services that you want to authenticate against and establish a successful key vault connection. You can choose from the following Azure services:
      • global Azure
      • Azure for US Government
      Select the “global Azure” option to authenticate and upload the key material to any non-US government Azure service, or select the “Azure for US Government” option to authenticate and upload key material to the specific Azure service set aside for the US government
      
      NOTE

      To use Azure US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Refer to the Cloud Provider's documentation about access to these environments.
   5. Use the credentials created in Section 3.1 to set up an Azure-backed Fortanix DSM Group. Azure subscriptions have a trust relationship with Azure Active Directory (Azure AD).
      In the Authentication section, enter the Azure KMS account credentials:
      
      • Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
      • Client ID: Enter the Application ID/Client ID of the app registration you created. This value can be found on the app registration’s Overview screen.
      • Subscription ID: The Subscription ID is the ID of your Azure AD subscription containing the Key Vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details.
        
        You can authenticate with Azure Key Vault using either of the following options:
      • Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web-addressable location (using an HTTPS scheme). Client Secret is also referred to as an application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
      • Token authentication certificate configuration: Click the + ADD AUTHENTICATION CERTIFICATE button to upload a client certificate and private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key vault and vice versa. Ensure that the certificate file is in cer, pem, or crt format.
   6. Click the SAVE button.
      Refer to Figure 3 and Figure 5 in Section 3.1: Azure App Configuration to get the Tenant ID, Client ID, and Client Secret.
3. Add a TLS configuration (optional). For more details refer to Section 3.5: Add TLS Configuration (Optional).
4. Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM is able to connect to your Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick and fetches the key vaults associated with the Subscription ID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign .

3.4 Add Certificate (Optional)

In the TLS configuration section, click + ADD AUTHENTICATION CERTIFICATE to add a certificate for authenticating the Azure Key Vault. Fortanix’s external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with Azure Key Vault.

1. Validate Host: Select the Validate Host check box to check if the certificate that the Azure Key Vault provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.
2. You can select either of the following two certificates:
   1. Global Root CA: This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.
      • CLIENT CERTIFICATE and PRIVATE KEY: Upload a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
   2. Custom CA Certificate: This option is used when you as an enterprise want to self-sign the certificate using your own internal CA.
      • CA CERTIFICATE: You can either upload the certificate file or copy the contents of the certificate in the textbox provided. You can override the default Global CA cert with a Custom CA Certificate for an Azure Key Vault group.
      • CLIENT CERTIFICATE and PRIVATE KEY: A Custom CA Certificate has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.

3.5 Select Key Vault

Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Managed HSMs only support HSM-protected keys.

For more details about the types of resources that Azure key vault provides, refer to Azure documentation.

1. When the Azure KMS is connected successfully, it will enable the Key Vault Name section.
2. From the list of key vaults for the Subscription ID entered, select Standard or Premium. The Standard key vault encrypts with a Software-protected key only, and the Premium key vault includes HSM-protected keys that can be created as Software-protected or Hardware-protected keys.
3. Select a key vault from the drop down list for the selected Key vault type. Click SAVE to save the group. 

3.7 Create Group

Now, save your group details by clicking the SAVE button.

After you save your group details, your group is created, and you will see a detailed view of your group.

Now you can see that there is an addition of the HSM/KMS tab in the group details, this tab shows the details about your KMS.

3.8 The HSM/KMS Tab

The HSM/KMS tab shows the details of the KMS that were added such as the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name.

Once you edit the connection details and save it, click TEST CONNECTION to test the connection.

Click SYNC KEYS to sync keys from the configured Azure KMS to the Azure-backed Fortanix DSM group.

3.9 Not Connected Scenario

On clicking TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Key Vault, in that case, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.

3.10 Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol next to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an external KMS group.

3.11 User's View

Click the Users tab  in the Fortanix DSM UI, and click the user that says “You” to go to the user’s detailed view, as shown below.

The detailed view shows all the groups of which the user is a part, additionally Fortanix DSM displays which groups are mapped to Azure Key Vault and whether they are “Connected” or “Not Connected”.

For details on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure KMS Bring Your Own Key.