Fortanix DSM - Azure Key Vault CDC Group Setup

1.0  Introduction

Welcome to the Fortanix Data Security Manager (DSM) Azure Key Vault (AKV) Cloud Native Key Management (CNKMS) User Guide. This article describes how to set up a CDC Group for Azure Key Vault using Fortanix DSM.

The Fortanix solution for Azure Key Vault (AKV) offers complete Cloud Native Key Management (CNKMS), and Bring Your Own Key (BYOK), with complete lifecycle management for automation.

This article will walk you through setting up a Cloud Data Control (CDC) Group which will be used for both CNKMS and BYOK Workflows.

To understand which solution between CNKMS, BYOK, or BYOE is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

1.1 Overview

The Fortanix solution for AKV Key Management offers complete Bring Your Own Key (BYOK) and lifecycle management for the management and automation of Azure keys and allows users to manage all keys centrally and securely.

1.2  Types of Azure BYOK Flows

1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)
3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, or Bring Your Own Encryption (BYOE) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

3.0  Fortanix Data Security Manager Azure CDC Group Setup

3.1  Azure App Configuration

Register Fortanix DSM as an app in Azure and get the app’s Active Directory (AD) credentials as explained in Section 3.0 here.

3.2  Create and Configure Azure Key Vaults

• Create one or two non-HSM Key Vaults and give 9 key management permissions as explained here.
• Create one or two HSM-backed Key Vaults and give 9 key management permissions as explained here.

3.3  Prerequisites

To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure Cloud Data Control (CDC) must have to authenticate the Fortanix DSM group with Azure Key Management Services.

• The app’s API permissions to access the Key Vault. Refer to Figure 5 in Fortanix DSM with Azure Use Case Guide for more details.
• Adding the app in the Access Policy of the Key Vault. Refer to Figure 8 in Fortanix DSM with Azure Use Case Guide for more details.
  NOTE

  The access policies for the app registered to the key vault should include the permissions: "GET", "LIST", "UPDATE", "CREATE", "IMPORT", "DELETE", "RECOVER", "BACKUP", "RESTORE", "PURGE".
• Register the app as a key-vault contributor in role assignment.
  • In the Azure portal, open your Key Vault.
  • Click Access Control (IAM) -> Add -> Add role assignment.
  • In the Add role assignment panel, select the Role as Key Vault Contributor.
  
                                Figure 1: Add role assignment

3.4  Configure the Azure CDC Group

1. In the Fortanix DSM Groups page, click the button to create a new Azure KMS group. 
2. In the Add new group form,
   1. Enter a name and description for your group.
   2. Next, click the LINK HSM/EXTERNAL KMS button to choose the Azure KMS type, so that Fortanix DSM can connect to it.
   3. Select the type of HSM/external KMS as Azure Key Vault in the drop down menu.
   4. Use the AD credentials created in Section 3.1 to set up an Azure-backed Fortanix DSM Group. Azure subscriptions have a trust relationship with Azure Active Directory (Azure AD).
      In the Authentication section, enter the Azure KMS account credentials:
      
      • Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
      • Client ID: Each subscription has an Application ID/Client ID. Enter the Client ID.
      • Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web addressable location (using an HTTPS scheme). Client Secret is also referred to as application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
        NOTE

        Currently, Fortanix DSM supports only "Client Secret" value based authentication.
      • Subscription ID: The Subscription ID is the ID of your Azure AD subscription containing the Key Vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details.
      Refer to Figure 3 and Figure 4 in Fortanix DSM with Azure Use Case Guide to get the Tenant ID, Client ID, and Client Secret.
3. Add a certificate. For more details refer to Section 2.6: Add Certificate.
4. Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM is able to connect to your Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick and fetches the key vaults associated with the Subscription ID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign .

3.5 Select Key Vault

Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Managed HSMs only support HSM-protected keys.

For more details about the types of resources that Azure key vault provides, refer to Azure documentation.

1. When the Azure KMS is connected successfully, it will enable the Key Vault Name section.
2. From the list of key vaults for the Subscription ID entered, select Standard or Premium. The Standard key vault encrypts with a Software-protected key only, and the Premium key vault includes HSM-protected keys that can be created to be Software-protected or Hardware-protected keys.
3. Select a key vault from the drop down list for the selected Key vault type. Click SAVE to save the group. 

3.6 Add Certificate (Optional)

1. Click + ADD CONFIGURATION to add a certificate for authenticating your Azure Key Vault. Fortanix’s external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with Azure Key Vault. 
   1. There are two certificate options to choose from.
      • Global Root CA - This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.
      • Custom CA Certificate – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA cert with a Custom CA Certificate for an Azure KMS group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided. 
   2. Select the Validate Host check box to check if the certificate that the Azure Key Vault provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.
2. + ADD CLIENT CERTIFICATE (optional): A Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa. 

3.7  Create Group

Now, save your group details by clicking SAVE.

After you save your group details, your group is created, and you will see a detailed view of your group.

Now you can see that there is an addition of the HSM/KMS tab in the group details, this tab shows the details about your KMS.

3.8  The HSM/KMS Tab

The HSM/KMS tab shows the details of the KMS that were added such as the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name.

Once you edit the connection details and save it, click TEST CONNECTION to test the connection.

Click SYNC KEYS to sync keys from the configured Azure KMS to the Azure-backed Fortanix DSM group.

3.9  Not Connected Scenario

On clicking TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Key Vault, in that case, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.

3.10  Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol next to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an external KMS group.

3.11  User's View

Click the Users tab  in the Fortanix DSM UI, and click the user that says “You” to go to the user’s detailed view, as shown below.

The detailed view shows all the groups of which the user is a part of, additionally Fortanix DSM displays which groups are mapped to Azure Key Vault and whether they are “Connected” or “Not Connected”.

For details on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure KMS Bring Your Own Key.