Bring Your Own Key for Microsoft Azure Key Vault and Entrust KeyControl: Integration Guide
Table of Contents
- Introduction
- Install and configure Entrust KeyControl
- Configure Microsoft Azure
- Configure Entrust KeyControl as Microsoft Azure CSP
- Test integration
- Create a key set in Entrust KeyControl
- Create a cloud key in Entrust KeyControl
- Create a cloud key in Azure key vault
- Rotate a cloud key in Entrust KeyControl
- Remove a cloud key in Entrust KeyControl
- Upload a removed cloud key to Azure in Entrust KeyControl
- Delete a cloud key in Entrust KeyControl
- Cancel a cloud key deletion in Entrust KeyControl
Introduction
This document describes the integration of Microsoft Azure Key Vault Bring Your Own Key (referred to as Azure BYOK in this guide) with the Entrust KeyControl Key Management Solution (KMS).
Documents to read first
This guide describes how to configure the Entrust KeyControl server as a KMS in Azure BYOK.
Note
|
Entrust KeyControl v10.1 supports BYOK as an add-on. You can request a free trial of Entrust KeyControl BYOK here: https://go.entrust.com/keycontrol-byok-30-day-free-trial. |
To install and configure the Entrust KeyControl server see KeyControl Installation and Upgrade Guide.
Also refer to the documentation and set-up process for Microsoft Azure BYOK in the Microsoft Azure Key Vault online documentation.
Product configurations
Entrust has successfully tested the integration of KeyControl with Azure BYOK in the following configurations:
System | Version |
---|---|
Entrust KeyControl |
10.1 |
Features tested
Entrust has successfully tested the following features:
Feature | Tested |
---|---|
Create cloud key |
✓ |
Rotate cloud key |
✓ |
Remove cloud key |
✓ |
Upload removed cloud key |
✓ |
Delete cloud key |
✓ |
Cancel cloud key deletion |
✓ |
Requirements
Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
Install and configure Entrust KeyControl
Deploy an Entrust KeyControl cluster
For this integration, Entrust KeyControl was deployed as a two-node cluster on premises. The installation software was downloaded in the form of an OVA file, deployed in VMware ESXi.
Follow the installation and set-up instructions in KeyControl Installation and Upgrade Guide. If using an HSM, the integration guide with the Entrust nshield HSM is available at https://www.entrust.com/documentation. Search for the key phrase KeyControl nshield HSM.
Create an Entrust KeyControl Management Vault
To create an Entrust KeyControl Management Vault:
-
Sign in to the Entrust KeyControl Vault Server Appliance Manager.
-
In the home page, select the user’s drop-down menu and select Vault Management.
-
Select Create Vault.
The Create Vault dialog appears.
-
In the Type drop-down box, select Cloud Key Management. Enter the required information.
-
Select Create Vault.
For example:
-
You will receive an email with a URL and login credentials to the Entrust KeyControl vault. Bookmark the URL and save the credentials.
For example:
-
Sign in to the above URL. Change the one-time password when prompted.
Configure Microsoft Azure
Create an app registration in Azure
The app registration provides trust between your app and Azure.
-
Open a browser and sign in to the Azure portal https://portal.azure.com/#home.
-
Navigate to Home > Azure Active Directory > App registrations.
-
Select New registration.
The Register an application dialog.
-
Enter the Name, a user-facing or friendly name. Select the applicable Supported account types and enter a Redirect URI.
For example:
-
Select Register.
The newly created registration appears.
-
Select API permissions. Alternatively, select Home > Azure Active Directory > App Registrations > <Display name> > API permissions.
-
Select Add a permission and add the following permissions:
Microsoft API Permission Microsoft Graph
Application.ReadWrite.All, User.Read (granted by default)
Azure Key Vault
user_impersonation
Azure Service Management
user_impersonation
For example:
For additional information, see Creating a Service Principal.
Add the app to the subscription Reader Role list
Note
|
The Owner permission of the subscription is required to perform this operation. |
-
Navigate to Home > Subscriptions.
-
Select your subscription.
-
Select Access control (IAM).
-
Select Add and then select Add role assignment from the pull-down menu.
-
In the Add role assignment dialog, select the Reader role and then select the Members tab.
-
Select Select members, search for the app Display name, and select it.
-
Select Save.
The new subscription Reader role is added.
Create an Azure key vault
An existing Azure key vault with Permission model equals Vault access policy can be used for this integration. A new Azure key vault was created in this integration to show the entire process.
For an existing Azure key vault, proceed to section Add the app registration to the key vault access policies directly, skipping this section entirely.
-
Open a browser and sign in to the Azure portal https://portal.azure.com/#home.
-
In the home page, select the Create a resource icon.
-
Select Key Vault.
The Create a key vault dialog appears.
-
In the Basics tab select the Subscription and Resource group from the pull-down menu. Enter the instance details.
-
Select Next.
For example:
-
In the Access configuration tab, select the Permission model, Resource access, and Access policies.
-
If you are using Vault access policy for the Permission model:
-
Select the user.
-
Select Edit and select all permissions that apply.
-
Select Save and Next.
All Key Permissions, Secrets Permissions, and Certificate Permissions were selected for the purpose of this integration.
-
-
In the Networking tab, select Enable public access.
-
Under Public access, select All networks.
-
Select Next.
-
In the Tags tab enter the required Name and Value. These were left blank for the purpose of this integration.
-
Select Next.
-
Review the information and select Create.
-
A deployment page appears. The newly created Azure vault is included.
Add the app registration to the key vault access policies
These steps configure the key vault policies to allow access by the app.
-
Navigate to Home > Key vault > <Key_vault_name> > Access policies.
-
Select Create.
The Create and access policy dialog appears.
-
In the Permissions tab select the following Key permissions.
Key permissions Selection Key Management Operations
All
Privileged Key Operations
All
Rotation Policy Operations
All
-
Select Next.
-
In the Principal tab, enter the Display name of the app. After the app is found, select the app.
-
Select Next.
For example:
-
Select Next in the Application (optional) tab.
-
Review the information and select Create.
For example:
-
The Access policies page appears. The new vault access policy is included.
For additional information, see Set Permissions for the BYOK Service by Configuring Each Azure Key Vault.
Configure Entrust KeyControl as Microsoft Azure CSP
Create an Azure client secret
This secret is required to create the Entrust CSP account for Azure. It expires after a set period. You must create the Entrust KeyControl CSP account for Azure before the secret expiration date.
-
Navigate to Home > Azure Active Directory > App registrations > <App-registration-name> > Certificates & secrets.
-
Select New client secret.
The Add a client secret dialog appears.
-
Enter the Description and select the expiration date.
-
Select Add.
The Certificates & secrets page appears. For example:
-
Copy and save the Value of the new client secret.
NoteThis value appears in Azure Portal only temporarily. When the portal hides the client secret, it cannot be retrieved and a new secret must be created.
For additional information, see Creating a client secret in Azure Active Directory.
Create an Entrust KeyControl CSP account for Azure
The following steps establish the connection between Entrust KeyControl and Azure, making Entrust KeyControl the CSP of the Azure application.
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the CSP Accounts tab.
-
In the Action icon, select Add CSP Account in the drop-down menu.
The Add CSP Account dialog appears.
-
In the Details tab enter the Name and Description.
-
In the Admin Group drop-down menu box select Cloud Admin Group.
-
In the Type drop-down menu box select Azure.
-
Enter the following from the Azure account:
Item Value Azure AD Tenant ID
Home > Azure Active Directory > App registrations > <Display name> > Directory (tenant) ID
Subscription ID
Home > Subscription > Subscription ID
Client ID
Home > Azure Active Directory > App registrations > <Display name> > Application (client) ID
Client Secret
Value of the secret created in Create an Azure client secret.
For example:
-
Select Continue.
-
In the Schedule tab, define the rotation schedule.
-
Select Apply.
For example:
The new CSP account is created.
Test integration
Create a key set in Entrust KeyControl
This key set will be used to create a cloud key in Entrust KeyControl.
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the Key Sets tab.
-
Select Actions > Create Key Set.
The Choose the type of keys… dialog appears.
-
Choose Azure Key.
The Create Key Set dialog appears.
-
In the Details tab enter a Name and Description.
-
In the Admin Group menu select Cloud Admin Group.
For example:
-
Select Continue.
-
In the CSP Account tab, select the CSP account created in Create an Entrust KeyControl CSP account for Azure.
For example:
-
Select Continue.
-
In the HSM tab, select Enable HSM if using one. In that case ensure the HSM is configured prior to this step.
For example:
-
Select Continue.
-
In the Schedule tab, select a Rotation Schedule matching the selection made during Create an Azure client secret. For example:
-
Select Apply.
The key set is added. For example:
-
Verify the Azure key vault created in Create an Azure key vault is listed in the Key Vault tab with setting Accessible set to Yes.
For example:
For additional information, see Creating a Key Set.
Create a cloud key in Entrust KeyControl
The following steps create a cloud key in Entrust KeyControl and verify it is available in Azure key vault.
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the CloudKeys tab.
-
In the Key Set menu, select the Key Set created in Create a key set in Entrust KeyControl.
-
In the Type menu, select Key Vault.
For example:
-
Select Actions > Create CloudKey.
The Create CloudKey dialog appears.
-
In the Key Vault menu, select the Azure key vault created in Create an Azure key vault.
-
In the Details tab, enter the Name and Description. For example:
-
Select Continue.
-
In the Access tab, select the required Cipher.
For example:
-
Select Continue.
-
In the Schedule tab, select the Rotation Schedule, Activation Date, and Expiration.
For example:
-
Select Apply.
The cloud key is created.
-
Verify the cloud key created in Entrust KeyControl is available in Azure key vault.
For additional information, see Creating a CloudKey.
Create a cloud key in Azure key vault
The following steps create a cloud key in Azure key vault and import it into Entrust KeyControl.
To create a cloud key in Azure Key Vault:
-
Navigate to Home > Key vaults > <Key_vault_name> > Keys > Generate/Import.
The Create a key dialog appears.
-
Enter the Name and the required key properties.
For example:
-
Select Create.
The cloud key is created.
-
Verify the newly created key.
For example:
To import the cloud key created in Azure into Entrust KeyControl:
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the Key Sets tab.
-
Select the key set created in Create a key set in Entrust KeyControl.
-
Select Actions > Import CloudKey.
The Import Cloud Keys dialog appears.
-
In the Type menu, select Key Vault.
-
In the Key Vault menu, select the Azure key vault created in Create an Azure key vault.
For example:
-
Select Import.
-
Verify the cloud key created in Azure key vault is available in Entrust KeyControl.
Rotate a cloud key in Entrust KeyControl
To rotate a cloud key in Entrust KeyControl:
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the CloudKeys tab.
-
Select the key to rotate. Then, scroll down until you see the Rotate Now control.
-
Select Rotate Now.
The key has been rotated.
For example:
-
In Azure, navigate to Home > Key vaults > <Key_vault_name> > Keys.
-
Select the key you want to rotate.
-
Verify that the key has been rotated.
For example:
Remove a cloud key in Entrust KeyControl
A removed cloud key in Entrust KeyControl will no longer be available for use in Azure. However, Entrust KeyControl will keep a copy of the removed cloud key, which could be reloaded to Azure for use.
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the CloudKeys tab.
-
Select the key to the removed.
-
Select Actions > Remove from Cloud.
The Remove from Cloud dialog appears.
-
Type the name of the cloud key in Type CloudKey Name.
For example:
-
Select Remove.
-
Verify the status change in Entrust KeyControl.
For example:
-
Verify the key is gone from Azure.
For example:
For additional information, see Removing a CloudKey from the Cloud.
Upload a removed cloud key to Azure in Entrust KeyControl
To upload a removed cloud key to Azure in Entrust KeyControl:
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the CloudKeys tab.
-
Select the key to be uploaded.
-
Select Actions > Upload to Cloud.
The Remove from Cloud dialog appears. For example:
-
Select Upload.
-
Verify the status change in Entrust KeyControl. For example:
-
Verify the key is now available in Azure. For example:
Delete a cloud key in Entrust KeyControl
The deletion of a cloud key does not take effect immediately. However, after a user defined interval, the key will be permanently removed.
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the CloudKeys tab.
-
Select the key to deleted.
-
Select Actions > Delete CloudKey.
The Delete CloudKey dialog appears.
-
Select a time in Define when the CloudKey should be permanently deleted.
For example:
-
Select Delete.
-
Verify the status change in Entrust KeyControl.
For example:
-
Verify the key is gone from Azure. For example:
For additional information, see Deleting a CloudKey.
Cancel a cloud key deletion in Entrust KeyControl
The deletion of a key can be canceled while the time in the Define when the CloudKey should be permanently deleted setting has not expired.
-
Sign in to the Entrust KeyControl Vault URL bookmark from Create an Entrust KeyControl Management Vault.
-
Select the CLOUDKEYS icon on the toolbar.
-
Select the CloudKeys tab.
-
Select the key deletion to be canceled.
-
Select Actions > Cancel Deletion.
The Cancel Deletion dialog appears.
For example:
-
Select Yes, Cancel Deletion.
-
Verify the status change in Entrust KeyControl.
For example:
-
Verify the key is now available in Azure. For example:
For additional information, see Canceling a CloudKey Deletion.
-
ProductsKeyControl BYOK
-
ProductsnShield Connect
-
ProductsnShield as a Service