Fortanix DSM - Azure Key Vault CDC Group Setup

1.0 Introduction

Welcome to the Fortanix Data Security Manager (DSM) Azure Key Vault (AKV) Cloud Native Key Management Service (CNKMS) User Guide. This article describes how to set up a Cloud Data Control (CDC) Group for Azure Key Vault using Fortanix DSM.

The Fortanix solution for AKV offers complete CNKMS, and Bring Your Own Key (BYOK), with complete lifecycle management for automation of Azure keys and allows users to manage all keys centrally and securely.

This article will walk you through setting up a CDC Group which will be used for both CNKMS and BYOK workflows.

1.2 Types of Azure BYOK Flows

  1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
  2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (Hardware Security Module (HSM)-protected: FIPS 140-2 Level 2 compliance)
  3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
  4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, Bring Your Own Key (BYOK), Bring Your Own KMS (AWS XKS) or Bring Your Own Encryption (BYOE), or BYOE is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.

3.0 Obtaining Access to Fortanix DSM

Create an account in Fortanix DSM if you do not have one already. Refer to the Fortanix DSM Getting Started guide for more information.

4.0 Fortanix DSM Azure CDC Group Setup

4.1 Azure App Configuration

You will need to provide the tool with your Azure credentials, which will be used to authenticate to Azure and perform interactions with Azure Key Vault. You can do the following to get these credentials:

  1. Log in to
  2. Register an application. azure_byok1.png Figure 1: Initiate App Registration azure_byok2.png Figure 2: Register an App azure_byok3.png Figure 3: App Registered
  3. Upload a client certificate or create a client secret for the above application. AzureKMS_UploadCert.pngFigure 4: Client Certificate for the App

    AzureKMS_ClientSecret.pngFigure 5: Client Secret for the App
  4. Give the App permission to access the Azure Key Vault. azure_byok4.1.png Figure 6: Key Vault Permission to Access App Azure_App_Perm.png Figure 7: Key Vault Permission to Access App
  5. Create an Azure Key Vault. azure_byok5.1.png Figure 8: Create Azure Key Vault
    Figure 9: Create Azure Key Vault

4.2 DSM and Azure Configuration Prerequisites

To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure Cloud Data Control (CDC) must have to authenticate the Fortanix DSM group with Azure Key Management Services.

  • The app’s API permissions to access the Key Vault. Refer to Figure 6 and Figure 7 above for more details.
  • Adding the app to the Access Policy of the Key Vault. Refer to Figure 9 above for more details.
    The access policies for the Azure app registered to the key vault should include the following permissions: "GET", "LIST", "UPDATE", "CREATE", "IMPORT", "DELETE", "RECOVER", "BACKUP", "RESTORE", "PURGE".
  • Assign the app registration the Key Vault Contributor role.
    Ensure the user performing these operations has sufficient privileges. For more information, refer to 
    1. In the Azure portal, open your Key Vault.
    2. Navigate to Access Control (IAM)Add → Add role assignment.
    3. In the Add role assignment window , select the Role as Key Vault Contributor option.
    4. Click the Next button.
    5. Select the previously created app registration, Fortanix-BYOK, under Members to complete the operation.
                                  Figure 10: Add role assignment

4.3 Configure the Azure CDC Group

Perform the following steps to create an Azure KMS group:

  1. Navigate to the Groups menu item and click the + Groups button to create a new Azure KMS group.
  2. In the Add new group form, do the following:
    1. Enter a name and description for your group.
    2. Click the LINK HSM/EXTERNAL KMS button to choose the Azure KMS type, so that Fortanix DSM can connect to it.
    3. Select the HSM/external KMS type as Azure Key Vault in the drop down menu.
    4. In the Choose Service field, select from the following Azure services that you want to authenticate against and establish a successful key vault connection. You can choose from the following Azure services:
      • global Azure
      • Azure for US Government
      Select the “global Azure” option to authenticate and upload the key material to any non-US government Azure service, or select the “Azure for US Government” option to authenticate and upload key material to the specific Azure service set aside for the US government
      To use Azure US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Refer to the Cloud Provider's documentation about access to these environments.
    5. Use the credentials created in Section 4.1 Azure App Configuration to set up an Azure-backed Fortanix DSM Group. Azure subscriptions have a trust relationship with Azure Active Directory (Azure AD).
      In the Authentication section, enter the Azure KMS account credentials:
      • Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
      • Client ID: Enter the Application ID/Client ID of the app registration you created. This value can be found on the app registration’s Overview screen.
      • Subscription ID: The Subscription ID is the ID of your Azure AD subscription containing the key vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details.

        You can authenticate with Azure Key Vault using either of the following options:
      • Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web-addressable location (using an HTTPS scheme). Client Secret is also referred to as an application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
      • Token authentication certificate configuration: Click the + ADD AUTHENTICATION CERTIFICATE button to upload a client certificate and private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key vault and vice versa. Ensure that the certificate file is in cer, pem, or crt format.
      Refer to Figure 3 and Figure 5 in Section 4.1: Azure App Configuration to get the Tenant ID, Client ID, and Client Secret.
    6. Click the SAVE button.
  3. Add a TLS configuration (optional). For more details refer to Section 4.4: Add TLS Configuration.
  4. Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM is able to connect to your Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick AWS_43a.png and fetches the key vaults associated with the Subscription ID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign AWS_44a.png .

4.4 Add TLS Configuration (Optional)

If you are using a configuration such as a proxy for the Azure Key Vault connection, use this section to add certificates so that Fortanix DSM would allow the use of a custom certificate.

In the TLS configuration section, click + ADD AUTHENTICATION CERTIFICATE to add a certificate for authenticating the Azure Key Vault. Fortanix’s external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with Azure Key Vault.

  1. Validate Host: Select the Validate Host check box to verify if the certificate that the Azure Key Vault provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.
  2. You can select either of the following two certificates:
    1. Global Root CAs: This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.
      • CLIENT CERTIFICATE and PRIVATE KEY: Upload a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
    2. Custom CA Certificate: This option is used when you as an enterprise want to self-sign the certificate using your own internal CA.
      • CA CERTIFICATE: You can either upload the certificate file or copy the contents of the certificate in the textbox provided. You can override the default Global CA cert with a Custom CA Certificate for an Azure Key Vault group.
      • CLIENT CERTIFICATE and PRIVATE KEY: A Custom CA Certificate has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
  3. Click the SAVE button.

4.5 Select Key Vault

Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Managed HSMs only support HSM-protected keys.

As of the Fortanix DSM release 4.6, we support Software-backed key vaults, HSM-backed key vaults, and Azure Managed HSM Pool.

For more details about the types of resources that Azure Key Vault provides, refer to Azure documentation.

  1. When the Azure KMS is connected successfully, it will enable the Key vault type section.
  2. From the list of key vaults for the Subscription ID entered, select Standard or Premium. The Standard key vault encrypts with a Software-protected key only, and the Premium key vault includes HSM-protected keys that can be created as Software-protected or Hardware-protected keys.
  3. Select a key vault from the drop down list for the selected Key vault type.
  4. Click the SAVE button to save the group. 

4.6 Not Connected Scenario

When you click the TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Key vault. If that happens, it displays a “Not Connected” status with a warning symbol AWS_44a.png. You can save the details of the new connection details provided and edit them later.

4.7 HSM/KMS Tab

The group details now include an HSM/KMS tab displaying information about your KMS.

The HSM/KMS tab displays the details of the Azure Service Type, including the connection details of the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name. You can edit these connection details here.

After editing and saving, click the TEST CONNECTION button to check the connection.

Click the SYNC KEYS button to sync keys from the configured Azure KMS to the Azure CDC group.

4.8 Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol AWS_46.pngnext to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an external KMS group.

4.9 User's View

Navigate to the Users menu item and click the user that says “You” to view the user’s detailed view.

The detailed view shows all the groups the user belongs to and indicates which groups are mapped to Azure KMS, displaying their status as "connected" or "not connected."

5.0 Azure Key Vault Group BYOK and Cloud Native Key Management

For details on how to perform native key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure Key Vault Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in Azure Key Vault using Fortanix DSM, refer to the User's Guide: Fortanix DSM Azure KMS Bring Your Own Key.


Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful