User's Guide: Azure Key Vault External KMS

1.0  Overview

The Fortanix solution for Azure Key Vault (AKV) Key Management offers complete Bring Your Own Key (BYOK) and lifecycle management for management and automation of Azure keys and allows users to manage all keys centrally and securely.

1.1  Types of Azure BYOK Flows

  1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
  2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)
  3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
  4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

For release 4.1, the Fortanix DSM Key BYOK into Standard Tier Azure Key Vault is available.

2.0  Fortanix Data Security Manager Group Workflow

2.1  Azure App Configuration

Register Fortanix DSM as an app in Azure and get the app’s Active Directory (AD) credentials as explained here.

2.2  Create and Configure Azure Key Vaults

  • Create one or two non-HSM Key Vault and give 9 key management permissions as explained here.
  • Create one or two HSM-backed Key Vault and give 9 key management permissions as explained here.

2.3  Prerequisites

To configure the Azure-backed Fortanix DSM group, the following are the prerequisites that the app in Azure Cloud Data Control (CDC) must have to authenticate the Fortanix DSM group with Azure Key Management Services.

  • The app’s API permissions to access the Key Vault. Refer to Figure 5 in Fortanix DSM with Azure Use Case Guide for more details.
  • Adding the app in the Access Policy of the Key Vault. Refer to Figure 8 in Fortanix DSM with Azure Use Case Guide for more details.
    NOTE
    The access policies for the app registered to the key vault should include the permissions: "GET", "LIST", "UPDATE", "CREATE", "IMPORT", "DELETE", "RECOVER", "BACKUP", "RESTORE", "PURGE".
  • Register the app as a key-vault contributor in role assignment.
    • In the Azure portal, open your Key Vault.
    • Click Access Control (IAM) -> Add -> Add role assignment.
    • In the Add role assignment panel, select the Role as Key Vault Contributor.
    AzureKMS2.png
                                  Figure 1: Add role assignment

2.4  Create an Azure Key Vault KMS Group

  1. In the Fortanix Data Security Manager (DSM) Groups AWS_41.png page, click the Add.png button to create a new Azure KMS group. AzureKMS1.pngFigure 2: Create new group
  2. In the Add new group form,
    1. Enter a title and description for your group.
    2. Next, click the LINK HSM/EXTERNAL KMS button to choose the Azure External KMS type, so that Fortanix DSM can connect to it.
    AzureKMS4.png
    Figure 3: Link Azure Key Vault

2.4.1  Create Azure KMS Group

  1. Select the type of HSM/external KMS as Azure Key Vault in the drop down. AzureKMS5.png
    Figure 4: Choose External KMS type
  2. Use the AD credentials created in Section 2.1 to set up an Azure-backed Fortanix DSM Group. Azure subscriptions have a trust relationship with Azure Active Directory (Azure AD).
    In the Authentication section, enter the Azure KMS account credentials:
    • Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
    • Client ID: Each subscription has an Application ID/Client ID. Enter the Client ID.
    • Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web addressable location (using an HTTPS scheme). Client Secret is also referred to as application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
    • Subscription ID: The Subscription ID is the ID of your Azure AD subscription contains the Key Vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details. Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
    Refer to Figure 3 and Figure 4 in Fortanix DSM with Azure Use Case Guide to get the Tenant ID, Client ID, and Client Secret. AzureKMS6_1.png
    Figure 5: Azure Key Vault authentication
  3. Click + ADD CONFIGURATION to add a certificate for authenticating your Azure Key Vault. There are two certificate options to choose from.
    • Global Root CA - This option is for a self-signed certificate from an internal CA. By default, every Azure KMS group is configured with a Global Root CA Certificate.
    • Custom CA Certificate – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA cert with a Custom CA Certificate for an Azure KMS group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided. HSM_Custom_CA.png
      Figure 6: Custom CA certificate
    • Client Certificate (optional): A Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the Azure Key Vault and vice versa. HSM_ClientPrivate.png
      Figure 7: Add client cert and private key
    • Select the Validate Host check box to check if the certificate that the Azure Key Vault provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.

2.5  Test Connection

  1. Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM is able to connect to your Azure Key Vault using your connection details, then it shows the status as “Connected” with a green tick AWS_43a.png. Otherwise, it shows the status as “Not Connected” with a yellow warning sign AWS_44a.png .
    AzureKMS7.png
    Figure 8: Test connection - successful

2.6  Select Key Vault

Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Managed HSMs only support HSM-protected keys.

NOTE
For Fortanix DSM release 4.1, we will support only Software-backed key vaults and HSM-backed key vaults. The HSM-backed key vaults will be stored in Software in this release. For more details about the types of resources that Azure key vault provides, refer to Azure documentation.
  1. When the Azure KMS is connected successfully, it will enable the Key Vault Name field. From the list of key vaults for the Subscription ID entered, select a key vault. Click SAVE to save the group. AzureKMS8_1.png
    Figure 9: Select subscription ID

2.7  Create Group

Now, save your group details by clicking SAVE.

Once you save your group details, your group is created, and you will see a detailed view of your group.

AzureKMS11_1.pngFigure 10: Create group AzureKMS12.pngFigure 11: Group detailed view

Now you can see that there is an addition of the HSM/KMS tab in the group details, this tab shows the details about your KMS.

NOTE
You can only edit the Tenant ID, Client ID, and Client Secret to update the Azure KMS connection details. The key vault name is non-editable.

2.8  The HSM/KMS Tab

The HSM/KMS tab shows the details of the KMS that were added such as the Tenant ID, Client ID, Client Secret, Subscription ID, and Key Vault Name.

NOTE
You can only edit the Tenant ID, Client ID, and Client Secret to update the Azure KMS connection details. The key vault name is non-editable.

Once you edit the connection details and save it, click TEST CONNECTION to test the connection.

Click SYNC KEYS to sync keys from the configured Azure KMS to the Azure-backed Fortanix DSM group.

AzureKMS13_1.pngFigure 12: Sync keys

2.9  Sync Keys

When you edit the Azure Key Vault connection details in the Azure KMS group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to Azure Key Vault and gets all the keys available. Fortanix DSM then stores them as virtual keys.

NOTE
  • When keys are synced with Azure Key Vault, the metadata of the existing keys for the configured service account is downloaded and represented as virtual keys. The actual key material for those keys is always stored in Azure Key Vault.
  • Clicking SYNC KEYS only returns the keys from Azure Key Vault that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
  • The time taken to sync keys from Azure key vault to DSM is a function of the number of keys in the Azure vault and the network latency between Azure location and DSM. It can take several minutes if there are hundreds of keys and there is significant network latency.

AzureKMS39_1.pngFigure 13: Scanned keys

2.10  Not Connected Scenario

On clicking TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Key Vault, in that case, it displays a “Not Connected” status with a warning symbol AWS_44a.png. You can save the details of the new connection details provided and edit them later.

2.11  Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol AWS_46.pngnext to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an external KMS group.

AzureKMS14.pngFigure 14: Azure KMS groups

2.12  User's View

Click the Users tab AWS_47.png in the Fortanix DSM UI, and click the user that says “You” to go to the user’s detailed view, as shown below.

AzureKMS15.pngFigure 15: User's table

The detailed view shows all the groups which the user is a part of, additionally Fortanix DSM displays which groups are mapped to Azure key Vault and whether they are “Connected” or “Not Connected”.

AzureKMS16.png
Figure 16: User detailed view

3.0  Fortanix Data Security Manager Azure KMS Security Objects

3.1  Create a Key in Azure KMS Group - Generate (Software-Backed Key Vault)

You can generate a key in a configured Azure KMS (Software backed key vault).

3.1 1  Generate a Key

This action will generate the configured key type in the software-backed Azure Key Vault, and it will be represented as a virtual key in the corresponding Azure KMS group. This means that the virtual key in the Azure KMS group will point to the actual key in the software-backed Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.

In your Fortanix DSM console, follow the process below to create a new key:

  1. Click the Security Objects AWS_48.png tab (Figure 17).
  2. Click Add.pngto create a new Security Object. AzureKMS3.pngFigure 17: Security objects tab in Fortanix Data Security Manager
  3. In the Add New Security Object form (Figure 18) enter a name for the Security Object (Key).
  4. Select the This is an HSM/external KMS object check box (Figure 18). This will show the Azure KMS configured groups in the Select group list.
  5. In the Azure group list, select the Azure group into which the keys will be generated. The Key vault name associated with the Azure group is displayed. AzureKMS17.pngFigure 18: Assign key to the Azure group
  6. Select GENERATE IN AZURE initiate the generate key in Azure workflow.
  7. Enter the Azure key name: The Azure key name is the key name that will be stored in Azure Key Vault. The Azure key name will be used to correlate between different versions of a key. All the key versions will have the same Azure key name.
  8. Select the key type for the new Azure KMS key.
    NOTE
    The allowed key types for an Azure key generated using the Generate Key button are:
    • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096)
    • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
    These key types can further be restricted by setting a crypto policy for the account or group. For more details about the crypto policy, please refer to the article: https://support.fortanix.com/hc/en-us/articles/360042064051-User-s-Guide-Crypto-Policy. AzureKMS18.pngFigure 19: Generate key in Azure 
  9. Enter the Key size.
  10. Enter the key Expiration Date, and key Activation Date. AzureKMS19.pngFigure 20: Enter key parameters
  11. Select the permitted key operations under Key operations permitted section.
  12. Add any key tags if required using ADD TAG.
  13. Click the GENERATE button to generate the key in Azure Key Vault. AzureKMS20.pngFigure 21: Generate a key
  14. The new Azure Key is created and represented with a special symbol Group_7.png to denote it is of type "External KMS". In the detailed view of the Azure key, you will notice the following things:
    • The “key state” - whether the key is in a pre-active/active state based on the “activation date” selected during the key creation. AzureKMS21_1.pngFigure 22: Key state and Azure key name
    • The Azure Key Name appears on the top.
    • The group to which it belongs (in the Group field). It also shows if the group is mapped to Azure Key Vault or not using the special icon AWS_46.png.
    • How the key was created (in the Created by field). If it is an Azure KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
    AzureKMS22.pngFigure 23: Security objects detailed view
  15. The new key will be added to the Security Objects table. AzureKMS23.pngFigure 24: Key added
    TIP
    • You can also access the new key from the Group detailed view from the SECURITY OBJECTS tab (Figure 25).
    • You can also add a new key from the Group detailed view from the SECURITY OBJECTS tab (Figure 25), click ADD SECURITY OBJECT, and follow steps 3-13 above.
    AzureKMS24.pngFigure 25: View/add Azure KMS security objects
    Go to the AZURE KEY DETAILS tab to see the properties of the Azure Key such as the Version Number and Resource ID of the key.
    AzureKMS25.pngFigure 26: Azure key properties
    Log in to the Azure console and verify if the new key is generated successfully.
    NOTE
    When a new key is created in the Azure Key Vault from Fortanix DSM, a backup blob for the key (along with its key versions) will be downloaded from Azure and saved into Fortanix DSM when a SCAN is performed on the group.

3.1.2  Bring Your Own Key - Import Key 

This action will import the configured key type in the software-backed Azure Key Vault directly, and it will be represented as a virtual key in the corresponding Azure KMS group. This means that the virtual key in the Azure KMS group will point to the actual key in the Azure Key Vault that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material. The import action will not store a copy of the key material in Fortanix DSM.

    1. Follow Steps 1-5 from Section 3.1.1
    2. Select IMPORT to initiate the import key in Azure workflow.
    3. Enter the Azure key name.
    4. Select the key type for the new Azure KMS key.
      NOTE
      The allowed key type for an Azure key generated using the Import Key workflow are.
      • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
      • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
    5. Sometimes keys of type RSA that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios select the check box The key has been encrypted.
      1. Next enter or select a Key ID or SO name in the Select Key Encryption Key section which will be used to unwrap (decrypt) the encrypted key in the file which will later be stored securely in Fortanix DSM. This key should have already been created or imported in Fortanix DSM.
    6. Click UPLOAD A FILE to upload the key file in Raw, Base64, or Hex format.
    7. Select the permitted key operations and any key tags if required using ADD TAG.
    8. Click IMPORT to import the key.
    9. The key is successfully imported.
NOTE
When a new key is created in the Azure Key Vault from Fortanix DSM, a backup blob for the key (along with its key versions) will be downloaded from Azure and saved into Fortanix DSM when a SCAN is performed on the group.

3.1.3  Bring Your Own Key - Copy Key to Azure Key Vault

Use this option when you want to generate a key in Fortanix DSM and then import the key into the configured Azure Key Vault. The copy key to the Azure feature will copy a security object from one regular Fortanix DSM group to another regular/Azure KMS Fortanix DSM group. This feature has the following advantages:

  • Maintains a single source of key material while using/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.
  • Maintains a link of various copies of the same key material to the source key for audit and tracking purposes.

The following actions will happen as part of the copy key operation:

  • A new key will be created in the target group: The new key will have the same key material as the original.
  • The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
  • The Source key will also have basic metadata-based information about the linked keys such as:
    • Copied by <user-name/app id>
    • Date of Copy <time stamp>
    • Target copy group name
NOTE
The name of the copied key is suggested automatically to the user as [original key name]_[copy1,2,...], but can be replaced with an alternative unique name.

To copy a key from a regular Fortanix DSM group to an Azure KMS group:

  1. Go to the detailed view to a key and click the NEW OBJECT icon Add.png on the far right of the screen. AzureKMS26.pngFigure 27: Initiate copy key
  2. In the menu that appears, click the COPY KEY button. AzureKMS27.pngFigure 28: Click copy key
    NOTE
    • The allowed key types for an Azure key generated using the copy key workflow are:
      • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
      • Elliptic curve key pairs (ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, and ECC_SECG_P256K1).
    • The RSA and EC key to be copied must have the “Export” permission enabled or the copy key operation will fail.
    • The COPY KEY button will be disabled for all the Azure KMS virtual keys.
  3. In the COPY KEY window, update the name of the key if required using the edit AzureKMS28.pngicon.
  4. Click Import key to HSM/External KMS check box to filter the groups to show only HSM/AWS KMS/Azure KMS groups. Select the Azure KMS group for the new key into which the copied key should be imported.
  5. Enter the Azure key name.
  6. Update KEY PERMISSIONS if you want to modify the permissions of the key. AzureKMS29.pngFigure 29: Create copy
  7. Click CREATE COPY to create a copy of the key as shown in the figure above.
  8. The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. AzureKMS42.pngFigure 30: Key link
    NOTE
    If a user wants to maintain a copy of the key material in Fortanix DSM, then the user can import a regular RSA/EC key into Fortanix DSM using the “import key” workflow and then copy this key into Azure Key Vault using the “copy key” workflow.

3.2  Attributes/Tags Tab

This tab will have all the tags of the software-backed Azure key. You can add new tags using the NEW TAG button.

AzureKMS43.pngFigure 31: Key attributes

3.3  Azure Key Details

This tab displays details of the Azure key properties such as Resource ID and Key version number.

AzureKMS30.pngFigure 32: Azure key details

The AZURE KEY DETAILS tab also contains SOFT DELETE KEY option, which is explained in Section 3.6.

3.4  Security Objects Table View

After you add new Azure keys, go to the Security Objects page to view all the security objects from all the groups (Regular and HSM/External KMS).

In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an Azure Key Vault, belongs to a group with a special symbol AWS_46.png. The security objects table view will continue to show all the keys irrespective of if they belong to an Azure KMS group or not.

AzureKMS31.pngFigure 33: Security objects table view

3.5  Deactivate a Key in Azure Group

When you deactivate an Azure key in Fortanix DSM, the action will deactivate the virtual key in Fortanix DSM and the actual key in the configured Azure Key Vault KMS will be disabled.

To deactivate a key:

  1. Select the Azure key to deactivate.
  2. In the security object detailed view, scroll down, and click the DEACTIVATE button.
    AzureKMS32.pngFigure 34: Deactivate key

3.6  Soft Delete a Key in Azure Key Vault

Soft delete deletes a key from an Azure Key Vault which was already scanned in the Azure KMS Group in Fortanix DSM with a link to recover this key. Now, when you click SCAN KEYS in Fortanix DSM:

  • The status of the key in the Azure KMS group will become “soft-deleted in Azure”.
  • The key can only be recovered for a retention period set in the key vault.
  • If you choose to recover this key, the virtual key will become active as well as the actual key will become active in the Azure Key Vault.
  • If you do not recover the key within the retention period, the Azure key vault will automatically purge and delete the key permanently.

To delete a key from Azure Key Vault:

  1. Go to the detailed view of an Azure KMS virtual key and select the AZURE KEY DETAILS tab.
  2. Click the link SOFT DELETE KEY. AzureKMS33.pngFigure 35: Azure Key Vault Schedule Key Deletion
  3. In the Soft Key Deletion in Azure Key Vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted.
  4. Click SOFT DELETE KEY button to mark the key for deletion. AzureKMS34.pngFigure 36: Initiate soft key delete
  5. You can recover the deleted key any time before the waiting period ends using the RECOVER DELETED KEY link on the top of the screen in the detailed view of the virtual key. When the “Recover Key“ link is clicked, the key will be restored back in Azure Key Vault from the archived blob along with all its versions. AzureKMS35.pngFigure 37: Cancel key deletion
    NOTE
    • When the retention period ends, the key gets purged and deleted permanently. However, even if the key is purged in Azure Key Vault, if the key was imported from Fortanix DSM, then the same key material can be re-imported into Azure Key Vault.
    • In the Azure Key Vault, when a key is deleted, all its versions get deleted along with it and when restored, all its versions are restored together.

3.7  Delete a Key in Azure Group

The DELETE KEY button will be enabled when the key material has been purged in Azure. When you click DELETE KEY, Fortanix DSM will remove the key backup blob, and hence the key cannot be restored.

To delete a virtual key:

  1. Select the Azure key to delete.
  2. In the security object detailed view, scroll down and click the DELETE KEY button.
    AzureKMS44.pngFigure 38: Delete Azure virtual key

4.0  Rotate Key in Azure Group

4.1  Rotating Azure Native Key* with Another Native Key

*Native key is one where the key material was generated by Azure Key Vault.

When you rotate a virtual key in an Azure KMS group, the action will rotate the key inside the Azure Key Vault by generating another new version of the key within the configured Azure Key Vault in a nested way by moving the key alias from the old key to the new key.

To rotate a key in Azure Key Vault:

  1. Select the Azure virtual key to rotate.
  2. In the detailed view of the Azure virtual key, click the ROTATE KEY button. AzureKMS36.pngFigure 39: Rotate key
  3. In the Key Rotation window, click the ROTATE KEY button to rotate the virtual key. AzureKMS37_1.pngFigure 40: Rotate virtual key
    A new rotated key is now generated.

4.2  Rotating Keys in Fortanix Data Security Manager Source Group

When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then the user is given the option to select the linked keys for key rotation. If these linked keys belong to an Azure KMS group, then rotating the linked keys results in rotating the keys in Azure Key Vault as well by generating new versions of the keys within the configured Azure Key Vault in a nested manner.

  1. Click ROTATE KEY in the detailed view of a Fortanix DSM Source Key.
  2. In the KEY ROTATION window, select the Rotate linked keys check box.
  3. Select the Azure Virtual Keys that need to be rotated along with the Fortanix DSM source key and click ROTATE KEY to rotate the linked key. AzureKMS38.pngFigure 41: Rotate linked keys

4.3  Rotate Azure Native Key to Fortanix Data Security Manager Owned Key

When an Azure KMS virtual key whose key material is owned by Azure KMS is rotated, the user is given an option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in Azure KMS, which has the key material of the Fortanix DSM-backed key. As a result, the Azure KMS virtual key is backed by a Fortanix DSM Source key.

To rotate a virtual key with Fortanix DSM backed key:

  1. Click ROTATE KEY in the detailed view of an Azure virtual key.
  2. In the Key Rotation window, select the Rotate to S-D KMS key check box.
  3. Select the Fortanix DSM group that contains the source key.
  4. Select the source key and click the ROTATE KEY button. AzureKMS40.pngFigure 42: Rotate virtual key with Fortanix DSM Key

    The Virtual key is successfully rotated and backed by the source key. To confirm go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.

    AzureKMS41.pngFigure 43: Azure virtual key's source changed
Was this article helpful?
0 out of 0 found this helpful