User's Guide: Azure Managed HSM

1.0  Overview

Welcome to the Fortanix Data Security Manager (DSM) Azure Key Vault (AKV) Managed Hardware Security Module (HSM) Key Management Service (KMS) User Guide. This article describes how to add a new Azure AKV Managed HSM to Fortanix DSM. 

The Fortanix solution for AKV Managed HSM KMS offers complete Bring Your Own Key (BYOK) and lifecycle management for management and automation of Azure Managed HSM keys and allows users to manage all keys centrally and securely.

1.1  Types of Azure BYOK Flows

1. Fortanix DSM key BYOK into Standard Tier Azure Key Vault (Software-protected: FIPS 140-2 Level 1compliance)
2. Fortanix DSM Key BYOK into Premium Tier Azure Key Vault (HSM-protected: FIPS 140-2 Level 2 compliance)
3. Fortanix DSM key BYOK from Fortanix DSM as HSM into Azure Key Vault HSM using custom Key wrapping inside Fortanix DSM
4. Fortanix BYOK into Azure Managed HSM (HSM-protected: Azure FIPS 140-2 Level 3 compliance).

2.0  Fortanix Data Security Manager Azure Managed HSM Group Workflow

2.1  Azure App Configuration

Register Fortanix DSM as an app in Azure and get the app’s Active Directory (AD) credentials as explained here.

2.2  Create and Configure Azure Key Vaults

• Create one or two non-HSM Key Vault and give 9 key management permissions as explained here.
• Create one or two HSM-backed Key Vault and give 9 key management permissions as explained here.

2.3  Prerequisites

To configure the AKV Managed HSM Fortanix DSM group, the following are the prerequisites that the app in Azure Cloud Data Control (CDC) must have to authenticate the Fortanix DSM group with Azure Key Management Services.

• The app’s API permissions to access the Key Vault. Refer to Figure 5 in Fortanix DSM with Azure Use Case Guide for more details.
• Adding the app in the Access Policy of the Key Vault. Refer to Figure 8 in Fortanix DSM with Azure Use Case Guide for more details.
  NOTE

  The access policies for the app registered to the key vault should include the permissions: "GET", "LIST", "UPDATE", "CREATE", "IMPORT", "DELETE", "RECOVER", "BACKUP", "RESTORE", "PURGE".
• Register the app as a key-vault contributor in role assignment.
  • In the Azure portal, open your Key Vault.
  • Click Access Control (IAM) -> Add -> Add role assignment.
  • In the Add role assignment panel, select the Role as Key Vault Contributor.
  
                                Figure 1: Add role assignment

2.4  Configure the Azure Managed HSM

1. On the Fortanix DSM Groups page, click the button to create a new Azure Managed HSM group. 
2. In the Add new group form,
   1. Enter a title and description for your group.
   2. Next, click the LINK HSM/EXTERNAL KMS button to choose the Azure Managed HSM type, so that Fortanix DSM can connect to it.

2.4.1  Create Azure KMS Group

1. Select the type of HSM/external KMS as Azure Managed HSM in the drop down.
2. In the Choose Service field, select from the following Azure services that you want to authenticate against and establish a successful key vault connection. You can choose from the following Azure services:
   • global Azure
   • Azure for US Government
   Select the “global Azure” option to authenticate and upload the key material to any non-GovCloud Azure service or select the “Azure for US Government” option to authenticate and upload key material to the specific Azure service set aside for the US government
   
   NOTE

   To use Azure US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Please refer to the Cloud Providers' documentation about access to these environments.
3. Use the AD credentials created in Section 2.1 to set up an Azure-backed Fortanix DSM Group. Azure subscriptions have a trust relationship with Azure Active Directory (Azure AD).
   In the Authentication section, enter the Azure KMS account credentials:
   
   • Tenant ID: Each subscription has a Directory ID/Tenant ID. Enter the Tenant ID.
   • Client ID: Each subscription has an Application ID/Client ID. Enter the Client ID.
   • Client Secret: A secret string that a registered application in Azure uses to prove its identity when requesting a token at a web addressable location (using an HTTPS scheme). Client Secret is also referred to as application password. Enter the “Value” of the Client Secret from the “Client secrets” section in Azure.
     NOTE

     Currently, Fortanix DSM supports only "Client Secret" value based authentication.
   • Subscription ID: The Subscription ID is the ID of your Azure AD subscription containing the Key Vaults associated with that Subscription ID. You can get the subscription ID by navigating to Subscriptions in the Azure portal. Refer to Azure Subscriptions and Roles for more details.
   Refer to Figure 3 and Figure 4 in Fortanix DSM with Azure Use Case Guide to get the Tenant ID, Client ID, and Client Secret. 

2.5 Test Connection

1. Click TEST CONNECTION to test your Azure KMS connection. If Fortanix DSM is able to connect to Azure using your connection details, then it shows the status as “Connected” with a green tick  and fetches the key vaults associated with the Subscription ID. Otherwise, it shows the status as “Not Connected” with a yellow warning sign  .

2.6 Select Azure Managed HSM Instance

Azure Key Vault provides two types of resources to store and manage cryptographic keys: Vaults and Managed HSMs. Vaults support software-protected and HSM-protected keys. Managed HSMs only support HSM-protected keys.

For more details about the types of resources that Azure key vault provides, refer to Azure documentation.

When the Azure KMS is connected successfully, it will enable the Managed HSM Instance field. From the list of Managed HSMs instances for the Subscription ID entered, select an HSM instance. Click SAVE to save the group.

2.7 Add Certificate

1. Click + ADD CONFIGURATION to add a certificate for authenticating your Azure Managed HSM. There are two certificate options to choose from.
   • Global Root CA – Use this certificate if you are using a certificate that is signed by a well-known public CA. By default, every Azure Managed HSM group is configured with a Global Root CA Certificate.
   • Custom CA Certificate – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA cert with a Custom CA Certificate for an Azure KMS group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided. 
   • Client Certificate (optional): A Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the AKV Managed HSM and vice versa. 
   • Select the Validate Host check box to check if the certificate that the Azure Key Vault provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.

2.8  The HSM/KMS Tab

After you save your group details, your group is created, and you will see a detailed view of your group. Now you can see that there is an addition of the HSM/KMS tab in the group details, this tab shows the details about your KMS.

The HSM/KMS tab shows the details of the KMS that was added such as the Tenant ID, Client ID, Client Secret, Subscription ID, and Managed HSM Instance.

Once you edit the connection details and save it, click TEST CONNECTION to test the connection.

Click SYNC KEYS to sync keys from the configured Azure Managed HSMto the Azure-backed Managed HSM Fortanix DSM group.

2.9  Sync Keys

When you edit the Azure Key Vault connection details in the Azure Managed HSM group detailed view under HSM/KMS tab, click SYNC KEYS to import new keys. On clicking SYNC KEYS, Fortanix DSM connects to Azure Managed HSM and gets all the keys available. Fortanix DSM then stores them as virtual keys.

2.10  Not Connected Scenario

On clicking TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the Azure Managed HSM, in that case, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.

2.11  Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol next to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an external KMS group.

2.12  User's View

Click the Users tab  in the Fortanix DSM UI, and click the user that says “You” to go to the user’s detailed view, as shown below.

The detailed view shows all the groups of which the user is a part of, additionally Fortanix DSM displays which groups are mapped to Azure Managed HSM and whether they are “Connected” or “Not Connected”.

3.0  Fortanix Data Security Manager Managed HSM Security Objects

3.1  Create a Key in Azure Managed HSM Group - Generate (Managed HSM Pool)

You can generate a key in a configured Azure Managed HSM (Managed HSM Pool).

3.1 1  Generate a Key

This action will generate the configured key type in the Azure Managed HSM Pool, and it will be represented as a virtual key in the corresponding Azure Managed HSM group. This means that the virtual key in the Azure Managed HSM group will point to the actual key in the Azure Managed HSM Pool that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.

In your Fortanix DSM console, follow the process below to create a new key:

1. Click the Security Objects tab.
2. Click to create a new Security Object. 
3. In the Add New Security Object form, enter a name for the Security Object (Key).
4. Select the This is an HSM/external KMS object check box. This will show the Azure Managed HSM configured groups in the Select group list.
5. In the Azure group list, select the Azure Managed HSM group into which the keys will be generated. The Managed HSM Instance associated with the Azure group is displayed. 
6. Select GENERATE IN AZURE to initiate the generate key in Azure workflow.
7. Enter the Azure key name: The Azure key name is the key name that will be stored in Azure Key Vault. The Azure key name will be used to correlate between different versions of a key. All the key versions will have the same Azure key name.
8. Select the key type for the new Azure KMS key.
   
   NOTE

   The allowed key types for an Azure key generated using the Generate Key button are:

   • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
   • AES 256
   These key types can further be restricted by setting a crypto policy for the account or group. For more details about the crypto policy, please refer to the article: https://support.fortanix.com/hc/en-us/articles/360042064051-User-s-Guide-Crypto-Policy. 
9. Enter the Key size.
10. Enter the key Activation Date and key Deactivation Date. 
11. Select the permitted key operations under the Key operations permitted section.
12. Add any key tags if required using ADD TAG.
13. Click the GENERATE button to generate the key in Azure Managed HSM. 
14. The new Azure Key is created and represented with a special symbol  to denote it is of type "External KMS". In the detailed view of the Azure key, you will notice the following things:
    • The “key state” - whether the key is in a pre-active/active state based on the “activation date” selected during the key creation. 
    • The Azure Key Name appears on the top.
    • The group to which it belongs (in the Group field). It also shows if the group is mapped to Azure Managed HSM or not using the special icon .
    • How the key was created (in the Created by field). If it is an Azure Managed HSM key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
15. The new key will be added to the Security Objects table. 
    TIP

    • You can also access the new key from the Group detailed view from the SECURITY OBJECTS tab.
    • You can also add a new key from the Group detailed view from the SECURITY OBJECTS tab, click ADD SECURITY OBJECT, and follow steps 3-13 above.
    Go to the AZURE KEY DETAILS tab to see the properties of the Azure Key such as the Version Number and Resource ID of the key.
    Log in to the Azure console and verify if the new key is generated successfully.
    NOTE

    When a new key is created in the Azure Managed HSM from Fortanix DSM, a backup blob for the key (along with its key versions) will be downloaded from Azure and saved into Fortanix DSM when a SYNC is performed on the group.

3.1.2  Bring Your Own Key - Import Key 

This action will import the configured key type in the Azure Managed HSM Pool directly, and it will be represented as a virtual key in the corresponding Azure Managed HSM group. This means that the virtual key in the Azure Managed HSM group will point to the actual key in the Azure Managed HSM that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material. The import action will not store a copy of the key material in Fortanix DSM.

1. Follow Steps 1-5 from Section 3.1.1
2. Select IMPORT to initiate the import key in Azure workflow.
3. Enter the Azure key name.
4. Select the key type for the new Azure KMS key.
   
   NOTE

   The allowed key type for an Azure key generated using the Import Key workflow are.

   • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
   • AES 256
5. Sometimes keys of type RSA that need to be imported from a file were previously wrapped (encrypted) by a key from Fortanix DSM. This is done so that the key should not go over the TLS in plain text format. In such scenarios select the check box The key has been encrypted.
   1. Next enter or select a Key ID or SO name in the Select Key Encryption Key section which will be used to unwrap (decrypt) the encrypted key in the file which will later be stored securely in Fortanix DSM. This key should have already been created or imported into Fortanix DSM.
6. Click UPLOAD A FILE to upload the key file in Raw, Base64, or Hex format.
7. Enter the key Activation Date and key Deactivation Date.
8. Select the permitted key operations and any key tags if required using ADD TAG.
9. Click IMPORT to import the key.
10. The key is successfully imported.

3.1.3  Bring Your Own Key - Copy Key to Azure Key Vault

Use this option when you want to generate a key in Fortanix DSM and then import the key into the configured Azure Managed HSM. The copy key to the Azure feature will copy a security object from one regular Fortanix DSM group to another regular/Azure Managed HSM Fortanix DSM group. This feature has the following advantages:

• Maintains a single source of key material while using/importing that key into various Fortanix DSM groups where applications may need to use a single key to meet business objectives.
• Maintains a link of various copies of the same key material to the source key for audit and tracking purposes.

The following actions will happen as part of the copy key operation:

• A new key will be created in the target group: The new key will have the same key material as the original.
• The source key links to the copied keys: There will be a link maintained from all copied keys to the source key.
• The Source key will also have basic metadata-based information about the linked keys such as:
  • Copied by <user-name/app id>
  • Date of Copy <time stamp>
  • Target copy group name

To copy a key from a regular Fortanix DSM group to an Azure KMS group:

1. Go to the detailed view to a key and click the NEW OBJECT icon  on the far right of the screen. 
2. In the menu that appears, click the COPY KEY button. 
   NOTE

   • The allowed key types for an Azure key generated using the copy key workflow are:
     • RSA key pairs ( RSA_2048, RSA_3072, and RSA_4096).
     • AES 256
   • The RSA and EC key to be copied must have the “Export” permission enabled or the copy key operation will fail.
   • The COPY KEY button will be disabled for all the Azure Managed HSM virtual keys.
3. In the COPY KEY window, update the name of the key if required using the edit icon.
4. Click the Import key to HSM/External KMS check box to filter the groups to show only HSM/AWS KMS/Azure KMS groups. Select the Azure Managed HSM group for the new key into which the copied key should be imported.
5. Enter the Azure key name.
6. Update KEY PERMISSIONS if you want to modify the permissions of the key. 
7. Click CREATE COPY to create a copy of the key as shown in the figure above.
8. The source key will now appear as a key link in the KEY LINKS tab in the detailed view of the copied key. 
   NOTE

   If a user wants to maintain a copy of the key material in Fortanix DSM, then the user can import a regular RSA/AES key into Fortanix DSM using the “import key” workflow and then copy this key into Azure Managed HSM using the “copy key” workflow.

3.2  Attributes/Tags Tab

This tab will have all the tags of the Azure Managed HSM key. You can add new tags using the NEW TAG button.

3.3  Azure Key Details

This tab displays details of the Azure key properties such as Resource ID and Key version number.

The AZURE KEY DETAILS tab also contains SOFT DELETE KEY option, which is explained in Section 3.6.

3.4  Security Objects Table View

After you add new Azure keys, go to the Security Objects page to view all the security objects from all the groups (Regular and HSM/External KMS).

In the security object table, you will notice that every key belongs to a group and some keys which are virtual keys added from an Azure Managed HSM, belongs to a group with a special symbol . The security objects table view will continue to show all the keys irrespective of if they belong to an Azure Managed HSM group or not.

3.5  Deactivate a Key in Azure Group

When you deactivate an Azure key in Fortanix DSM, the action will deactivate the virtual key in Fortanix DSM and the actual key in the configured Azure Managed HSM will be disabled.

To deactivate a key:

1. Select the Azure key to deactivate.
2. In the security object detailed view, scroll down, and click the DEACTIVATE button.

3.6  Soft Delete a Key in Azure Key Vault

Soft delete deletes a key from an Azure Managed HSM which was already scanned in the Azure Managed HSM group in Fortanix DSM with a link to recover this key. Now, when you click SYNC KEYS in Fortanix DSM:

• The status of the key in the Azure KMS group will become “soft-deleted in Azure”.
• The key can only be recovered for a retention period set in the key vault.
• If you choose to recover this key, the virtual key will become active as well as the actual key will become active in the Azure Managed HSM.
• If you do not recover the key within the retention period, the Azure Managed HSM will automatically purge and delete the key permanently.

To delete a key from Azure Managed HSM:

1. Go to the detailed view of an Azure KMS virtual key and select the AZURE KEY DETAILS tab.
2. Click the link SOFT DELETE KEY. 
3. In the Soft Key Deletion in Azure Key Vault window, select the confirmation “I understand that the key is not usable for Sign/Verify, Wrap/Unwrap or Encrypt/Decrypt operations once it is deleted.”
4. Click SOFT DELETE KEY button to mark the key for deletion.
5. You can recover the deleted key any time before the retention period ends using the RECOVER DELETED KEY link on the top of the screen in the detailed view of the virtual key. When the “Recover Key“ link is clicked, the key will be recovered back in Azure Managed HSM with all its versions. 
   NOTE

   • When the retention period ends, the key gets purged and deleted permanently. However, even if the key is purged in Azure Managed HSM, if the key was imported from Fortanix DSM, then the same key material can be re-imported into Azure Managed HSM from the backup blob.
   • In the Azure Managed HSM, when a key is deleted, all its versions get deleted along with it and when restored, all its versions are restored together.

3.7  Delete a Key in Azure Group

The DELETE KEY button will be enabled when the key material has been purged in Azure Managed HSM. When you click DELETE KEY, Fortanix DSM will remove the key backup blob, and hence the key cannot be restored.

To delete a virtual key:

1. Select the Azure Managed HSM key to delete.
2. In the security object detailed view, scroll down and click the DELETE KEY button.

4.0  Rotate Key in Azure Group

4.1  Rotating Azure Native Key* with Another Native Key

*Native key is one where the key material was generated by Azure Managed HSM.

When you rotate a virtual key in an Azure Managed HSM group, the action will rotate the key inside the Azure Managed HSM by generating another new version of the key within the configured Azure Managed HSM in a nested way by moving the key alias from the old key to the new key.

To rotate a key in Azure Managed HSM:

1. Select the Azure virtual key to rotate.
2. In the detailed view of the Azure virtual key, click the ROTATE KEY button. 
3. In the Key Rotation window, click the ROTATE KEY button to rotate the virtual key. 
   A new rotated key is now generated.

4.2  Rotating Keys in Fortanix Data Security Manager Source Group

When a key is rotated that belongs to a Fortanix DSM source group and has linked keys that are copies of the Fortanix DSM source key with the same key material as the source key, then the user is given the option to select the linked keys for key rotation. If these linked keys belong to an Azure Managed HSM group, then rotating the linked keys results in rotating the keys in Azure Managed HSM as well by generating new versions of the keys within the configured Azure Managed HSM in a nested manner.

1. Click ROTATE KEY in the detailed view of a Fortanix DSM Source Key.
2. In the KEY ROTATION window, select the Rotate linked keys check box.
3. Select the Azure Managed HSM Virtual Keys that need to be rotated along with the Fortanix DSM source key and click ROTATE KEY to rotate the linked key. 
4. Once the keys are rotated, click OK.

You can also schedule a key rotation policy for the Fortanix DSM source key such that the linked Azure Managed HSM keys that are copies of the source keys are also periodically rotated automatically.
To schedule a key rotation policy for the source key:

1. Go to the detailed view of the source key in the Fortanix DSM UI.
2. In the detailed view, click the KEY ROTATION tab and click the ADD POLICY
3. Enter the key rotation schedule by specifying the rotation frequency, start date, and time.
4. To deactivate the old key after key rotation, select the Deactivate original key after the rotation check box.
5. To rotate the linked copied keys, select the Rotate all copied keys check box.
6. Click SAVE POLICY to save the policy.

For more information on the key rotation policy, refer to the User’s Guide: Key Lifecycle Management.

4.3  Rotate Azure Native Key to Fortanix Data Security Manager Owned Key

When an Azure Managed HSM virtual key whose key material is owned by Azure Managed HSM is rotated, the user is given an option to rotate the virtual key with a Fortanix DSM-backed key. When the user selects this option and performs the rotation, a new virtual key is created, with the corresponding key in Azure Managed HSM, which has the key material of the Fortanix DSM backed key. As a result, the Azure Managed HSM virtual key is backed by a Fortanix DSM Source key.

To rotate a virtual key with Fortanix DSM backed key:

1. Click ROTATE KEY in the detailed view of an Azure virtual key.
2. In the Key Rotation window, select the Rotate to S-D KMS key check box.
3. Select the Fortanix DSM group that contains the source key.
4. Select the source key and click the ROTATE KEY button. 

   The Virtual key is successfully rotated and backed by the source key. To confirm go to the detailed view of the newly rotated Azure virtual key and click the AZURE KEY DETAILS tab. The SOURCE field now points to “FortanixHSM” instead of “External”.