Configure Azure credentials for communication with the KMES Series 3

2min

Before the KMES Series 3 can push keys into an Azure Key Vault, you must create credentials in Azure and configure them on the KMES. In Azure, these credentials are App Registrations. On the KMES, the credentials are Cloud Credentials.
Create an App registration
1
Log in to the Azure Portal and navigate to https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationsListBlade﻿
2
Create a new App Registration.
3
Then, select Certificates & Secrets in the sidebar.
4
Scroll down to Client Secrets, add a new secret, and copy the client secret value to a secure location.
After the Client Secret value generates, there is a time limit to view the client secret value, so you must save it immediately in a plain text file with no additional characters included.
5
Go to the main page for the App Registration by selecting Overview.
6
In Overview, copy the Tenant ID and Client ID to a secure location. You need the Tenant ID, Client ID, and Client Secret values when creating a Cloud Credential on the KMES as described in a later section.
Create an Azure Key Vault
You can use an existing Key Vault instead of creating a new one, but it must be in the Premium service tier to include support for HSM-backed keys. To create a new vault, perform the following steps:
1
Navigate to https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults. 
2
Select Create to start the Key Vault Creation wizard.
3
Set the pricing tier to Premium. Set the other fields under the Basics tab according to your specific use case. 
4
On the Access Policy tab, configure either a Vault access policy or Azure role-based access control. Regardless of which you choose, you must grant the App Registration you created in the previous section the following key permissions:
Permission
Description
﻿
Get
For general operations.
﻿
List
For general operations.
﻿
Create
For creating the ephemeral RSA KEK used in BYOK.
﻿
Import
For importing keys.
﻿
Delete
For deleting the ephemeral RSA KEK and for deleting your own key material.
﻿
Purge
Only required if the Key Vault supports soft-delete. The KMES auto-detects this and does not call purge if it is unnecessary.
﻿
The permissions given to the App Registration are the permissions that the Cloud Credential has on the KMES.
5
On the Networking tab, you must set the connectivity method to either Public Endpoint (All Networks) or Public Endpoint (Selected Networks).
If you set the connectivity method to Public Endpoint (Selected Networks), you must whitelist in Azure the subnet that the KMES Series 3 connects from.
6
Select Review + Create at the bottom of the page to finish creating the Key Vault.
﻿
﻿

Updated 26 Jan 2024

Did this page help you?

Azure BYOK

Configure the KMES Series 3 for Integrating with Azure