Azure Key Vault integration and key operations

5min

this section explains how to create a key on the {{k}} , push key material to azure, rotate key material on azure, and delete key material from azure if your environment has a configured firewall, ensure that it allows the following endpoints from the {{k}} out to the internet login microsoftonline com 443 management azure com 443 \<vault name> vault azure net 443 (replace \<vault name> with the actual name of your key vault in azure ) create a key perform the following steps to create a key on the {{k}} log in to the {{k3}} application interface with the default admin identities select key management > keys select the key group created in the previous section and select create > random in the keys section of the menu specify any name for the key, then select \[ ok ] to finish creating the key the key displays in the keys section of the menu push key material perform the following steps to push key material to azure ensure that you set the {{k}} to be the designated device to push key material (under administration > configuration > hsm protected key options ) right click the key you just created and select cloud > synchronize to start a job to synchronize this key to the azure key vault that you specified for the key group select logging and reporting > jobs and double click on the synchronize hsm protected key(s) job that you started if the synchronization succeeds, a message similar to the following displays 2021 09 28 21 27 14 synchronizing 1 hsm protected key(s) 2021 09 28 21 27 28 synchronized hsm protected key test 2021 09 28 21 27 28 successfully synchronized 1 hsm protected key(s) after the job finishes, select the keys view and select the key group for the key you just synchronized if the synchronization succeeds, the process assigns the azure version to the key this new key is the active key material for that key name in azure key vault until you push another key rotate key material on azure when the time for rotation comes (if scheduled during key group creation), a new key generates locally on the {{k}} , gets a name based on the key group name, and synchronizes to azure because pushing a new key to azure with the same name as the old key is the same thing as pushing a new version of that key, the new key material becomes the active material you can perform a force rotation of the key material by right clicking the key group and selecting cloud > force rotation this creates a new key locally and automatically synchronizes it to azure rotation also sets the last rotated timestamp on that particular group if the rotation succeeds delete key material from azure deleting the local key material and deleting the cloud key material are two different actions deleting the local key material does not delete the key material on the key vault if the key has been pushed to delete the cloud key material, perform the following steps right click the key group for which you want to delete the cloud key material and select cloud > delete on cloud service a job to delete this key material on its specified key vault begins running check the jobs tab under logging and reporting > jobs to monitor the status of the operation

Configure the KMES Series 3 for Integrating with Azure

Job status and log management with the Azure Key Vault BYOK integration