The Fortanix solution for Azure Key Vault (AKV) Key Management offers complete Bring Your Own Key (BYOK) and lifecycle management for management and automation of Azure keys and allows users to manage all keys centrally and securely.
1.1 Types of Azure BYOK Flows
- Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
- Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)
- Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
- Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).
For release 4.1, the Fortanix DSM Key BYOK into Standard Tier Azure Key Vault is available.
2.0 Fortanix Data Security Manager Group Workflow
2.1 Azure App Configuration
Register Fortanix DSM as an app in Azure and get the app’s Active Directory (AD) credentials as explained here.
2.2 Create and Configure Azure Key Vaults
- Create one or two non-HSM Key Vault and give 9 key management permissions as explained here.
- Create one or two HSM-backed Key Vault and give 9 key management permissions as explained here.
To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure Cloud Data Control (CDC) must have to authenticate the Fortanix DSM group with Azure Key Management Services.
- The app’s API permissions to access the Key Vault. Refer to Figure 5 in Fortanix DSM with Azure Use Case Guide for more details.
- Adding the app in the Access Policy of the Key Vault. Refer to Figure 8 in Fortanix DSM with Azure Use Case Guide for more details.
- Register the app as a key-vault contributor in role assignment.
- In the Azure portal, open your Key Vault.
- Click Access Control (IAM) -> Add -> Add role assignment.
- In the Add role assignment panel, select the Role as Key Vault Contributor.
Figure 1: Add role assignment
2.4 Create an Azure Key Vault KMS Group
- In the Fortanix Data Security Manager (DSM) Groups page, click the button to create a new Azure KMS group. Figure 2: Create new group
- In the Add new group form,
- Enter a title and description for your group.
- Next, click the LINK HSM/EXTERNAL KMS button to choose the Azure External KMS type, so that Fortanix DSM can connect to it.
Figure 3: Link Azure Key Vault
2.4.1 Create Azure KMS Group
- Select the type of HSM/external KMS as Azure Key Vault in the drop down.
Figure 4: Choose External KMS type
- Use the AD credentials created in Section 2.1 to set up an Azure-backed Fortanix DSM Group. Azure subscriptions have a trust relationship with Azure Active Directory (Azure AD).
In the Authentication section, enter the Azure KMS account credentials:
- Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
- Client ID: Each subscription has an Application ID/Client ID. Enter the Client ID.
- Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web addressable location (using an HTTPS scheme). Client Secret is also referred to as application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
- Subscription ID: The Subscription ID is the ID of your Azure AD subscription contains the Key Vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details. Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
Figure 5: Azure Key Vault authentication
- Click + ADD CONFIGURATION to add a certificate for authenticating your Azure Key Vault. There are two certificate options to choose from.
- Global Root CA - This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.
- Custom CA Certificate – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA cert with a Custom CA Certificate for an Azure KMS group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided.
Figure 6: Custom CA certificate
- Client Certificate (optional): A Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa.
Figure 7: Add client cert and private key
- Select the Validate Host check box to check if the certificate that the Azure Key Vault provided has the same
Common Name (CN)as the hostname that the server certificate is coming from.
2.5 Test Connection
- Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM is able to connect to your Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick . Otherwise, it shows the status as “Not Connected” with a yellow warning sign .
Figure 8: Test connection - successful
2.6 Select Key Vault
Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Managed HSMs only support HSM-protected keys.
- When the Azure KMS is connected successfully, it will enable the Key Vault Name field. From the list of key vaults for the Subscription ID entered, select a key vault. Click SAVE to save the group.
Figure 9: Select subscription ID
2.7 Create Group
Now, save your group details by clicking SAVE.
Once you save your group details, your group is created, and you will see a detailed view of your group.
Figure 10: Create group Figure 11: Group detailed view
Now you can see that there is an addition of the HSM/KMS tab in the group details, this tab shows the details about your KMS.
2.8 The HSM/KMS Tab
The HSM/KMS tab shows the details of the KMS that were added such as the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name.
Once you edit the connection details and save it, click TEST CONNECTION to test the connection.
Click SYNC KEYS to sync keys from the configured Azure KMS to the Azure-backed Fortanix DSM group.
Figure 12: Sync keys
2.9 Sync Keys
When you edit the Azure Key Vault connection details in the Azure KMS group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to Azure Key Vault and gets all the keys available. Fortanix DSM then stores them as virtual keys.
Figure 13: Scanned keys
2.10 Not Connected Scenario
On clicking TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Key Vault, in that case, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.
2.11 Groups Table View
After saving the group details, you can see the list of all groups and notice the special symbol next to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an external KMS group.
Figure 14: Azure KMS groups
2.12 User's View
Click the Users tab in the Fortanix DSM UI, and click the user that says “You” to go to the user’s detailed view, as shown below.
Figure 15: User's table
The detailed view shows all the groups which the user is a part of, additionally Fortanix DSM displays which groups are mapped to Azure key Vault and whether they are “Connected” or “Not Connected”.
Figure 16: User detailed view
3.0 Fortanix Data Security Manager Azure KMS Security Objects
3.1 Create a Key in Azure KMS Group - Generate (Software-Backed Key Vault)
You can generate a key in a configured Azure KMS (Software backed key vault).
3.1 1 Generate a Key
This action will generate the configured key type in the software-backed Azure Key Vault, and it will be represented as a virtual key in the corresponding Azure KMS group. This means that the virtual key in the Azure KMS group will point to the actual key in the software-backed Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.
In your Fortanix DSM console, follow the process below to create a new key:
- Click the Security Objects tab (Figure 17).
- Click to create a new Security Object. Figure 17: Security objects tab in Fortanix Data Security Manager
- In the Add New Security Object form (Figure 18) enter a name for the Security Object (Key).
- Select the This is an HSM/external KMS object check box (Figure 18). This will show the Azure KMS configured groups in the Select group list.
- In the Azure group list, select the Azure group into which the keys will be generated. The Key vault name associated with the Azure group is displayed. Figure 18: Assign key to the Azure group
- Select GENERATE IN AZURE initiate the generate key in Azure workflow.
- Enter the Azure key name: The Azure key name is the key name that will be stored in Azure Key Vault. The Azure key name will be used to correlate between different versions of a key. All the key versions will have the same Azure key name.
- Select the key type for the new Azure KMS key.
These key types can further be restricted by setting a crypto policy for the account or group. For more details about the crypto policy, please refer to the article: https://support.fortanix.com/hc/en-us/articles/360042064051-User-s-Guide-Crypto-Policy. Figure 19: Generate key in Azure
- Enter the Key size.
- Enter the key Expiration Date, and key Activation Date. Figure 20: Enter key parameters
- Select the permitted key operations under Key operations permitted section.
- Add any key tags if required using ADD TAG.
- Click the GENERATE button to generate the key in Azure Key Vault. Figure 21: Generate a key
- The new Azure Key is created and represented with a special symbol to denote it is of type "External KMS". In the detailed view of the Azure key, you will notice the following things:
- The “key state” - whether the key is in a pre-active/active state based on the “activation date” selected during the key creation. Figure 22: Key state and Azure key name
- The Azure Key Name appears on the top.
- The group to which it belongs (in the Group field). It also shows if the group is mapped to Azure Key Vault or not using the special icon .
- How the key was created (in the Created by field). If it is an Azure KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
- The new key will be added to the Security Objects table. Figure 24: Key added
Go to the AZURE KEY DETAILS tab to see the properties of the Azure Key such as the Version Number and Resource ID of the key.
Figure 26: Azure key properties
Log in to the Azure console and verify if the new key is generated successfully.
Figure 25: View/add Azure KMS security objects
3.1.2 Bring Your Own Key - Import Key
This action will import the configured key type in the software-backed Azure Key Vault directly, and it will be represented as a virtual key in the corresponding Azure KMS group. This means that the virtual key in the Azure KMS group will point to the actual key in the Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material. The import action will not store a copy of the key material in Fortanix DSM.
- Follow Steps 1-5 from Section 3.1.1
- Select IMPORT to initiate the import key in Azure workflow.
- Enter the Azure key name.
- Select the key type for the new Azure KMS key.
- Sometimes keys of type RSA that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios select the check box The key has been encrypted.
- Next enter or select a Key ID or SO name in the Select Key Encryption Key section which will be used to unwrap (decrypt) the encrypted key in the file which will later be stored securely in Fortanix DSM. This key should have already been created or imported in Fortanix DSM.
- Click UPLOAD A FILE to upload the key file in Raw, Base64, or Hex format.
- Select the permitted key operations and any key tags if required using ADD TAG.
- Click IMPORT to import the key.
- The key is successfully imported.
3.1.3 Bring Your Own Key - Copy Key to Azure Key Vault
Use this option when you want to generate a key in Fortanix DSM and then import the key into the configured Azure Key Vault. The copy key to the Azure feature will copy a security object from one regular Fortanix DSM group to another regular/Azure KMS Fortanix DSM group. This feature has the following advantages:
- Maintains a single source of key material while using/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.
- Maintains a link of various copies of the same key material to the source key for audit and tracking purposes.
The following actions will happen as part of the copy key operation:
- A new key will be created in the target group: The new key will have the same key material as the original.
- The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
- The Source key will also have basic metadata-based information about the linked keys such as:
- Copied by <user-name/app id>
- Date of Copy <time stamp>
- Target copy group name
To copy a key from a regular Fortanix DSM group to an Azure KMS group:
- Go to the detailed view to a key and click the NEW OBJECT icon on the far right of the screen. Figure 27: Initiate copy key
- In the menu that appears, click the COPY KEY button. Figure 28: Click copy key
- In the COPY KEY window, update the name of the key if required using the edit icon.
- Click Import key to HSM/External KMS check box to filter the groups to show only HSM/AWS KMS/Azure KMS groups. Select the Azure KMS group for the new key into which the copied key should be imported.
- Enter the Azure key name.
- Update KEY PERMISSIONS if you want to modify the permissions of the key. Figure 29: Create copy
- Click CREATE COPY to create a copy of the key as shown in the figure above.
- The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. Figure 30: Key link
3.2 Attributes/Tags Tab
This tab will have all the tags of the software-backed Azure key. You can add new tags using the NEW TAG button.
Figure 31: Key attributes
3.3 Azure Key Details
This tab displays details of the Azure key properties such as Resource ID and Key version number.
Figure 32: Azure key details
The AZURE KEY DETAILS tab also contains SOFT DELETE KEY option, which is explained in Section 3.6.
3.4 Security Objects Table View
After you add new Azure keys, go to the Security Objects page to view all the security objects from all the groups (Regular and HSM/External KMS).
In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an Azure Key Vault, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an Azure KMS group or not.
Figure 33: Security objects table view
3.5 Deactivate a Key in Azure Group
When you deactivate an Azure key in Fortanix DSM, the action will deactivate the virtual key in Fortanix DSM and the actual key in the configured Azure Key Vault KMS will be disabled.
To deactivate a key:
- Select the Azure key to deactivate.
- In the security object detailed view, scroll down, and click the DEACTIVATE button.
Figure 34: Deactivate key
3.6 Soft Delete a Key in Azure Key Vault
Soft delete deletes a key from an Azure Key Vault which was already scanned in the Azure KMS Group in Fortanix DSM with a link to recover this key. Now, when you click SCAN KEYS in Fortanix DSM:
- The status of the key in the Azure KMS group will become “soft-deleted in Azure”.
- The key can only be recovered for a retention period set in the key vault.
- If you choose to recover this key, the virtual key will become active as well as the actual key will become active in the Azure Key Vault.
- If you do not recover the key within the retention period, the Azure key vault will automatically purge and delete the key permanently.
To delete a key from Azure Key Vault:
- Go to the detailed view of an Azure KMS virtual key and select the AZURE KEY DETAILS tab.
- Click the link SOFT DELETE KEY. Figure 35: Azure Key Vault Schedule Key Deletion
- In the Soft Key Deletion in Azure Key Vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted.”
- Click SOFT DELETE KEY button to mark the key for deletion. Figure 36: Initiate soft key delete
- You can recover the deleted key any time before the waiting period ends using the RECOVER DELETED KEY link on the top of the screen in the detailed view of the virtual key. When the “Recover Key“ link is clicked, the key will be restored back in Azure Key Vault from the archived blob along with all its versions. Figure 37: Cancel key deletion
3.7 Delete a Key in Azure Group
The DELETE KEY button will be enabled when the key material has been purged in Azure. When you click DELETE KEY, Fortanix DSM will remove the key backup blob, and hence the key cannot be restored.
To delete a virtual key:
- Select the Azure key to delete.
- In the security object detailed view, scroll down and click the DELETE KEY button.
Figure 38: Delete Azure virtual key
4.0 Rotate Key in Azure Group
4.1 Rotating Azure Native Key* with Another Native Key
*Native key is one where the key material was generated by Azure Key Vault.
When you rotate a virtual key in an Azure KMS group, the action will rotate the key inside the Azure Key Vault by generating another new version of the key within the configured Azure Key Vault in a nested way by moving the key alias from the old key to the new key.
To rotate a key in Azure Key Vault:
- Select the Azure virtual key to rotate.
- In the detailed view of the Azure virtual key, click the ROTATE KEY button. Figure 39: Rotate key
- In the Key Rotation window, click the ROTATE KEY button to rotate the virtual key. Figure 40: Rotate virtual key
A new rotated key is now generated.
4.2 Rotating Keys in Fortanix Data Security Manager Source Group
When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then the user is given the option to select the linked keys for key rotation. If these linked keys belong to an Azure KMS group, then rotating the linked keys results in rotating the keys in Azure Key Vault as well by generating new versions of the keys within the configured Azure Key Vault in a nested manner.
- Click ROTATE KEY in the detailed view of a Fortanix DSM Source Key.
- In the KEY ROTATION window, select the Rotate linked keys check box.
- Select the Azure Virtual Keys that need to be rotated along with the Fortanix DSM source key and click ROTATE KEY to rotate the linked key. Figure 41: Rotate linked keys
4.3 Rotate Azure Native Key to Fortanix Data Security Manager Owned Key
When an Azure KMS virtual key whose key material is owned by Azure KMS is rotated, the user is given an option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in Azure KMS, which has the key material of the Fortanix DSM-backed key. As a result, the Azure KMS virtual key is backed by a Fortanix DSM Source key.
To rotate a virtual key with Fortanix DSM backed key:
- Click ROTATE KEY in the detailed view of an Azure virtual key.
- In the Key Rotation window, select the Rotate to S-D KMS key check box.
- Select the Fortanix DSM group that contains the source key.
- Select the source key and click the ROTATE KEY button. Figure 42: Rotate virtual key with Fortanix DSM Key
The Virtual key is successfully rotated and backed by the source key. To confirm go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.Figure 43: Azure virtual key's source changed