Create an App registration
Log in to the Azure Portal and go to https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
Scroll down to Client Secrets, add a new secret, and copy the client secret value to a secure location.
Create an Azure Key Vault
You can use an existing Key Vault instead of creating a new one, but it must be in the Premium service tier to include support for HSM-backed keys. To create a new vault, perform the following steps:Set the pricing tier to Premium. Set the other fields under the Basics tab according to your specific use case.
On the Access Policy tab, configure either a Vault access policy or Azure role-based access control. Regardless of which you choose, you must grant the App Registration you created in the previous section the following key permissions:
| Permission | Description |
|---|---|
| Get | For general operations. |
| List | For general operations. |
| Create | For creating the ephemeral RSA KEK used in BYOK. |
| Import | For importing keys. |
| Delete | For deleting the ephemeral RSA KEK and for deleting your own key material. |
| Purge | Only required if the Key Vault supports soft-delete. The KMES auto-detects this and does not call purge if it is unnecessary. |
The permissions given to the App Registration are the permissions that the Cloud Credential has on the KMES.
On the Networking tab, you must set the connectivity method to either Public Endpoint (All Networks) or Public Endpoint (Selected Networks).If you set the connectivity method to Public Endpoint (Selected Networks), you must whitelist in Azure the subnet that the KMES Series 3 connects from.