Azure Key Vault integration and key operations
This section explains how to create a key on the , push key material to Azure, rotate key material on Azure, and delete key material from Azure.
If your environment has a configured firewall, ensure that it allows the following endpoints from the KMES out to the internet:
- login.microsoftonline.com:443
- management.azure.com:443
- <vault-name>.vault.azure.net:443 (Replace <vault-name> with the actual name of your key vault in Azure.)
Log in to the application interface with the default Admin identities.
Select Key Management > Keys.
Select the key group created in the previous section, and select Create > Random in the Keys section of the menu.
Specify any name for the key, then select [ OK ] to finish creating the key.
The key displays in the Keys section of the menu.
Ensure that you set the KMES to be the designated device to push key material (under Administration > Configuration > HSM Protected Key Options).
Right-click the key you just created and select Cloud > Synchronize to start a job to synchronize this key to the Azure Key Vault that you specified for the key group.
Select Logging and Reporting > Jobs and double-click on the Synchronize HSM Protected key(s) job that you started.
If the synchronization succeeds, a message similar to the following displays:
2021-09-28 21:27:14 Synchronizing 1 HSM protected key(s)...
2021-09-28 21:27:28 Synchronized HSM protected key test
2021-09-28 21:27:28 Successfully synchronized 1 HSM protected key(s)
After the job finishes, select the Keys view and select the key group for the key you just synchronized. If the synchronization succeeds, the process assigns the Azure version assigned to the key.
This new key is the active key material for that key name in Azure Key Vault until you push another key.
When the time for rotation comes (if scheduled during key group creation), a new key generates locally on the KMES, gets a name based on the key group name, and synchronizes to Azure. Because pushing a new key to Azure with the same name as the old key is the same thing as pushing a new version of that key, the new key material becomes the active material.
You can perform a force rotation of the key material by right-clicking the key group and selecting Cloud > Force Rotation. This creates a new key locally and automatically synchronizes it to Azure.
Rotation also sets the last-rotated timestamp on that particular group, if the rotation succeeds.
Deleting the local key material and deleting the cloud key material are two different actions. Deleting the local key material does not delete the key material on the Key Vault if the key has been pushed.
To delete the cloud key material, perform the following steps:
Right-click the key group for which you want to delete the cloud key material, and select Cloud > Delete on Cloud Service.
A job to delete this key material on its specified Key Vault begins running. Check the Jobs tab under Logging and Reporting > Jobs to monitor the status of the operation.