Configure Bring your own key (BYOK)

 Scenario

A Key Vault customer would like to securely transfer a key from their on-premises Hardware Security Module (HSM) outside Azure, into the HSM backing Azure Key Vault. The process of importing a key generated outside Key Vault is referred to as Bring Your Own Key (BYOK).

The following are the requirements:

  • The key to be transferred never exists outside an HSM in plain text form.
  • Outside an HSM, the key to be transferred is always protected by a key held in the Azure Key Vault HSM.

Terminology

Key NameKey TypeOriginDescription
Key Exchange Key (KEK)RSAAzure Key Vault HSMAn HSM backed RSA key pair generated in Azure Key Vault
Wrapping KeyAESVendor HSMAn [ephemeral] AES key generated by HSM on-premises
Target KeyRSA, EC, AES (Managed HSM only)Vendor HSMThe key to be transferred to the Azure Key Vault HSM

Key Exchange Key (KEK): This is a customer-generated, HSM-backed key within the key vault intended for the import of the BYOK (Bring Your Own Key) key. The KEK should have the following properties:

  • It must be an RSA-HSM key, with a size of 4096-bit, 3072-bit, or 2048-bit.
  • Its key operations (key_ops) are limited to 'import', allowing its use exclusively during the BYOK process.
  • It must reside in the same vault where the Target Key is to be imported.

User steps

To perform a key transfer:

  1. Generate KEK.
  2. Retrieve the public key of the KEK.
  3. Using HSM vendor provided BYOK tool, import the KEK into the target HSM and exports the Target Key protected by the KEK.
  4. Import the protected Target Key to Azure Key Vault.

Customers use the BYOK tool and documentation provided by HSM vendor to complete Steps 3. It produces a Key Transfer Blob (a ".byok" file).

HSM constraints

The existing HSM may apply constraints on key that they manage, including:

  • The HSM may need to be configured to allow key wrap-based export
  • The target key may need to be marked Cryptoki Attribute (CKA)_EXTRACTABLE for the HSM to allow controlled export
  • In some cases, the KEK and wrapping key may need to be marked as CKA_TRUSTED, which allows it to be used to wrap keys in the HSM.

The configuration of source HSM is, generally, outside the scope of this specification. Microsoft expects the HSM vendor to produce documentation accompanying their BYOK tool to include any such configuration steps.


prince2 certification training courses malaysia

Comments

Post a Comment

Popular posts from this blog

Azure built-in roles for tables

Azure RBAC provides built-in roles for authorizing access to table data using Microsoft Entra ID and OAuth. Built-in roles that provide permissions to tables in Azure Storage include: Storage Table Data Contributor: Use to grant read/write/delete permissions to Table storage resources. Storage Table Data Reader: Use to grant read-only permissions to Table storage resources. To learn how to assign an Azure built-in role to a security principal, see Assign an Azure role for access to table data. To learn how to list Azure RBAC roles and their permissions, see List Azure role definitions. For more information about how built-in roles are defined for Azure Storage, see Understand role definitions. For information about creating Azure custom roles, see Azure custom roles. Only roles explicitly defined for data access permit a security principal to access table data. Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage acc...
Read more

Explore Dataflows Gen2 in Microsoft Fabric

  In Microsoft Fabric, you can create a Dataflow Gen2 in the Data Factory workload or Power BI workspace, or directly in the lakehouse. Since our scenario is focused on data ingestion, let's look at the  Data Factory  workload experience. Dataflows Gen2 use Power Query Online to visualize transformations.  1. Power Query ribbon Dataflows Gen2 support a wide variety of data source connectors. Common sources include cloud and on-premises relational databases, Excel or flat files, SharePoint, SalesForce, Spark, and Fabric lakehouses. Then there are numerous data transformations possible, such as: Filter and Sort rows Pivot and Unpivot Merge and Append queries Split and Conditional split Replace values and Remove duplicates Add, Rename, Reorder, or Delete columns Rank and Percentage calculator Choose Top N and Bottom N You can also create and manage data source connections, manage parameters, and configure the default data destination in this ribbon. 2. Queries pane The ...
Read more

Select and configure an appropriate method for access to Azure Blobs

Azure Storage supports using Microsoft Entra ID to authorize requests to blob data. With Microsoft Entra ID, you can use Azure role-based access control (Azure RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. The security principal is authenticated by Microsoft Entra ID to return an OAuth 2.0 token. The token can then be used to authorize a request against the Blob service. Authorization with Microsoft Entra ID is available for all general-purpose and Blob storage accounts in all public regions and national clouds. Only storage accounts created with the Azure Resource Manager deployment model support Microsoft Entra authorization. For optimal security, Microsoft recommends using Microsoft Entra ID with managed identities to authorize requests against blob, queue, and table data, whenever possible. Authorization with Microsoft Entra ID and managed identities provides superior security and ease of use over Shared Key author...
Read more