Bring Your Own Key for Microsoft Azure Key Vault and Entrust KeyControl

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Introduction

This document describes the integration of Microsoft Azure Key Vault Bring Your Own Key (referred to as Azure BYOK in this guide) with the Entrust KeyControl Key Management Solution (KMS).

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in Azure BYOK.

Note	Entrust KeyControl v10.1 supports BYOK as an add-on. You can request a free trial of Entrust KeyControl BYOK here: https://go.entrust.com/keycontrol-byok-30-day-free-trial.

To install and configure the Entrust KeyControl server see KeyControl Installation and Upgrade Guide.

Also refer to the documentation and set-up process for Microsoft Azure BYOK in the Microsoft Azure Key Vault online documentation.

Product configurations

Entrust has successfully tested the integration of KeyControl with Azure BYOK in the following configurations:

System	Version
Entrust KeyControl	10.1

System

Version

Entrust KeyControl

10.1

Features tested

Entrust has successfully tested the following features:

Feature	Tested
Create cloud key	✓
Rotate cloud key	✓
Remove cloud key	✓
Upload removed cloud key	✓
Delete cloud key	✓
Cancel cloud key deletion	✓

Feature

Tested

Create cloud key

✓

Rotate cloud key

✓

Remove cloud key

✓

Upload removed cloud key

✓

Delete cloud key

✓

Cancel cloud key deletion

✓

Requirements

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.

Install and configure Entrust KeyControl

Deploy an Entrust KeyControl cluster

For this integration, Entrust KeyControl was deployed as a two-node cluster on premises. The installation software was downloaded in the form of an OVA file, deployed in VMware ESXi.

Follow the installation and set-up instructions in KeyControl Installation and Upgrade Guide. If using an HSM, the integration guide with the Entrust nshield HSM is available at https://www.entrust.com/documentation. Search for the key phrase KeyControl nshield HSM.

Create an Entrust KeyControl Management Vault

To create an Entrust KeyControl Management Vault:

Sign in to the Entrust KeyControl Vault Server Appliance Manager.
In the home page, select the user’s drop-down menu and select Vault Management.
Select Create Vault.

The Create Vault dialog appears.
In the Type drop-down box, select Cloud Key Management. Enter the required information.
Select Create Vault.

For example:
You will receive an email with a URL and login credentials to the Entrust KeyControl vault. Bookmark the URL and save the credentials.

For example:
Sign in to the above URL. Change the one-time password when prompted.

Configure Microsoft Azure

Create an app registration in Azure

The app registration provides trust between your app and Azure.

Open a browser and sign in to the Azure portal https://portal.azure.com/#home.
Navigate to Home > Azure Active Directory > App registrations.
Select New registration.

The Register an application dialog.
Enter the Name, a user-facing or friendly name. Select the applicable Supported account types and enter a Redirect URI.

For example:
Select Register.

The newly created registration appears.
Select API permissions. Alternatively, select Home > Azure Active Directory > App Registrations > <Display name> > API permissions.
Select Add a permission and add the following permissions:

Microsoft API Permission

Microsoft Graph

Application.ReadWrite.All, User.Read (granted by default)

Azure Key Vault

user_impersonation

Azure Service Management

user_impersonation

For example:

Microsoft API	Permission
Microsoft Graph	Application.ReadWrite.All, User.Read (granted by default)
Azure Key Vault	user_impersonation
Azure Service Management	user_impersonation

For additional information, see Creating a Service Principal.

Add the app to the subscription Reader Role list

Note	The Owner permission of the subscription is required to perform this operation.

Navigate to Home > Subscriptions.
Select your subscription.
Select Access control (IAM).
Select Add and then select Add role assignment from the pull-down menu.
In the Add role assignment dialog, select the Reader role and then select the Members tab.
Select Select members, search for the app Display name, and select it.
Select Save.

The new subscription Reader role is added.

Create an Azure key vault

An existing Azure key vault with Permission model equals Vault access policy can be used for this integration. A new Azure key vault was created in this integration to show the entire process.

For an existing Azure key vault, proceed to section Add the app registration to the key vault access policies directly, skipping this section entirely.

Open a browser and sign in to the Azure portal https://portal.azure.com/#home.
In the home page, select the Create a resource icon.
Select Key Vault.

The Create a key vault dialog appears.
In the Basics tab select the Subscription and Resource group from the pull-down menu. Enter the instance details.
Select Next.

For example:
In the Access configuration tab, select the Permission model, Resource access, and Access policies.
If you are using Vault access policy for the Permission model:
1. Select the user.
2. Select Edit and select all permissions that apply.
3. Select Save and Next.
All Key Permissions, Secrets Permissions, and Certificate Permissions were selected for the purpose of this integration.
In the Networking tab, select Enable public access.
Under Public access, select All networks.
Select Next.
In the Tags tab enter the required Name and Value. These were left blank for the purpose of this integration.
Select Next.
Review the information and select Create.
A deployment page appears. The newly created Azure vault is included.

Add the app registration to the key vault access policies

These steps configure the key vault policies to allow access by the app.

Navigate to Home > Key vault > <Key_vault_name> > Access policies.
Select Create.

The Create and access policy dialog appears.
In the Permissions tab select the following Key permissions.

Key permissions Selection

Key Management Operations

All

Privileged Key Operations

All

Rotation Policy Operations

All
Select Next.
In the Principal tab, enter the Display name of the app. After the app is found, select the app.
Select Next.

For example:
Select Next in the Application (optional) tab.
Review the information and select Create.

For example:
The Access policies page appears. The new vault access policy is included.

Key permissions	Selection
Key Management Operations	All
Privileged Key Operations	All
Rotation Policy Operations	All

For additional information, see Set Permissions for the BYOK Service by Configuring Each Azure Key Vault.

Configure Entrust KeyControl as Microsoft Azure CSP

Create an Azure client secret

This secret is required to create the Entrust CSP account for Azure. It expires after a set period. You must create the Entrust KeyControl CSP account for Azure before the secret expiration date.

Navigate to Home > Azure Active Directory > App registrations > <App-registration-name> > Certificates & secrets.
Select New client secret.

The Add a client secret dialog appears.
Enter the Description and select the expiration date.
Select Add.

The Certificates & secrets page appears. For example:
Copy and save the Value of the new client secret.

Note
This value appears in Azure Portal only temporarily. When the portal hides the client secret, it cannot be retrieved and a new secret must be created.

For additional information, see Creating a client secret in Azure Active Directory.

Create an Entrust KeyControl CSP account for Azure

The following steps establish the connection between Entrust KeyControl and Azure, making Entrust KeyControl the CSP of the Azure application.

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the CSP Accounts tab.
In the Action icon, select Add CSP Account in the drop-down menu.

The Add CSP Account dialog appears.
In the Details tab enter the Name and Description.
In the Admin Group drop-down menu box select Cloud Admin Group.
In the Type drop-down menu box select Azure.

Enter the following from the Azure account:

Item	Value
Azure AD Tenant ID	Home > Azure Active Directory > App registrations > <Display name> > Directory (tenant) ID
Subscription ID	Home > Subscription > Subscription ID
Client ID	Home > Azure Active Directory > App registrations > <Display name> > Application (client) ID
Client Secret	Value of the secret created in Create an Azure client secret.

Item

Value

Azure AD Tenant ID

Home > Azure Active Directory > App registrations > <Display name> > Directory (tenant) ID

Subscription ID

Home > Subscription > Subscription ID

Client ID

Home > Azure Active Directory > App registrations > <Display name> > Application (client) ID

Client Secret

Value of the secret created in Create an Azure client secret.

For example:

Select Continue.
In the Schedule tab, define the rotation schedule.
Select Apply.

For example:

The new CSP account is created.

Test integration

Create a key set in Entrust KeyControl

This key set will be used to create a cloud key in Entrust KeyControl.

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the Key Sets tab.
Select Actions > Create Key Set.

The Choose the type of keys… dialog appears.
Choose Azure Key.

The Create Key Set dialog appears.
In the Details tab enter a Name and Description.
In the Admin Group menu select Cloud Admin Group.

For example:
Select Continue.
In the CSP Account tab, select the CSP account created in Create an Entrust KeyControl CSP account for Azure.

For example:
Select Continue.
In the HSM tab, select Enable HSM if using one. In that case ensure the HSM is configured prior to this step.

For example:
Select Continue.
In the Schedule tab, select a Rotation Schedule matching the selection made during Create an Azure client secret. For example:
Select Apply.

The key set is added. For example:
Verify the Azure key vault created in Create an Azure key vault is listed in the Key Vault tab with setting Accessible set to Yes.

For example:

For additional information, see Creating a Key Set.

Create a cloud key in Entrust KeyControl

The following steps create a cloud key in Entrust KeyControl and verify it is available in Azure key vault.

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the CloudKeys tab.
In the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.
In the Type menu, select Key Vault.

For example:
Select Actions > Create CloudKey.

The Create CloudKey dialog appears.
In the Key Vault menu, select the Azure key vault created in Create an Azure key vault.
In the Details tab, enter the Name and Description. For example:
Select Continue.
In the Access tab, select the required Cipher.

For example:
Select Continue.
In the Schedule tab, select the Rotation Schedule, Activation Date, and Expiration.

For example:
Select Apply.

The cloud key is created.
Verify the cloud key created in Entrust KeyControl is available in Azure key vault.

For additional information, see Creating a CloudKey.

Create a cloud key in Azure key vault

The following steps create a cloud key in Azure key vault and import it into Entrust KeyControl.

To create a cloud key in Azure Key Vault:

Navigate to Home > Key vaults > <Key_vault_name> > Keys > Generate/Import.

The Create a key dialog appears.
Enter the Name and the required key properties.

For example:
Select Create.

The cloud key is created.
Verify the newly created key.

For example:

To import the cloud key created in Azure into Entrust KeyControl:

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the Key Sets tab.
Select the key set created in Create a key set in Entrust KeyControl.
Select Actions > Import CloudKey.

The Import Cloud Keys dialog appears.
In the Type menu, select Key Vault.
In the Key Vault menu, select the Azure key vault created in Create an Azure key vault.

For example:
Select Import.
Verify the cloud key created in Azure key vault is available in Entrust KeyControl.

Rotate a cloud key in Entrust KeyControl

To rotate a cloud key in Entrust KeyControl:

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the CloudKeys tab.
Select the key to rotate. Then, scroll down until you see the Rotate Now control.
Select Rotate Now.

The key has been rotated.

For example:
In Azure, navigate to Home > Key vaults > <Key_vault_name> > Keys.
Select the key you want to rotate.
Verify that the key has been rotated.

For example:

Remove a cloud key in Entrust KeyControl

A removed cloud key in Entrust KeyControl will no longer be available for use in Azure. However, Entrust KeyControl will keep a copy of the removed cloud key, which could be reloaded to Azure for use.

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the CloudKeys tab.
Select the key to the removed.
Select Actions > Remove from Cloud.

The Remove from Cloud dialog appears.
Type the name of the cloud key in Type CloudKey Name.

For example:
Select Remove.
Verify the status change in Entrust KeyControl.

For example:
Verify the key is gone from Azure.

For example:

For additional information, see Removing a CloudKey from the Cloud.

Upload a removed cloud key to Azure in Entrust KeyControl

To upload a removed cloud key to Azure in Entrust KeyControl:

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the CloudKeys tab.
Select the key to be uploaded.
Select Actions > Upload to Cloud.

The Remove from Cloud dialog appears. For example:
Select Upload.
Verify the status change in Entrust KeyControl. For example:
Verify the key is now available in Azure. For example:

Delete a cloud key in Entrust KeyControl

The deletion of a cloud key does not take effect immediately. However, after a user defined interval, the key will be permanently removed.

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the CloudKeys tab.
Select the key to deleted.
Select Actions > Delete CloudKey.

The Delete CloudKey dialog appears.
Select a time in Define when the CloudKey should be permanently deleted.

For example:
Select Delete.
Verify the status change in Entrust KeyControl.

For example:
Verify the key is gone from Azure. For example:

For additional information, see Deleting a CloudKey.

Cancel a cloud key deletion in Entrust KeyControl

The deletion of a key can be canceled while the time in the Define when the CloudKey should be permanently deleted setting has not expired.

Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
Select the CLOUDKEYS icon on the toolbar.
Select the CloudKeys tab.
Select the key deletion to be canceled.
Select Actions > Cancel Deletion.

The Cancel Deletion dialog appears.

For example:
Select Yes, Cancel Deletion.
Verify the status change in Entrust KeyControl.

For example:
Verify the key is now available in Azure. For example:

For additional information, see Canceling a CloudKey Deletion.

RESOURCES

Integration Guide
Bring Your Own Key for Microsoft Azure Key Vault and Entrust KeyControl Integration Guide

Bring Your Own Key for Microsoft Azure Key Vault and Entrust KeyControl: Integration Guide

Table of Contents