Configuring the ESA with Azure Key Vault Managed HSM
Verifying the Prerequisites
Ensure that the following prerequisites are met before configuring the ESA with the Azure Key Vault Managed HSM.
Configuring the Managed HSM
Protegrity supports the Managed HSM Key Vault type due to the presence of Get Random Bytes functionality, which is not available in the standard Key Vault.
Ensure that the Azure Managed HSM is already set up and activated on your system.
For more information about setting up an Azure Managed HSM, refer to Quickstart: Provision and activate a Managed HSM using Azure CLI.
Authentication Components for Azure
You can choose one of the following authentication methods.
Service Principal
When you register a new application in Microsoft Entra ID, a Service Principal is automatically created. This Service Principal acts as the application identity within the Microsoft Entra tenant and controls access to resources based on the roles assigned to it.
Ensure that the Service Principal is created with access to the Key Vault. For more information about Service Principal using the CLI, refer to Create an Azure service principal with Azure CLI.
For more information about Service Principal using the Web UI, refer to Register a Microsoft Entra app and create a service principal.
When you create the Service Principal, the AZURE_CLIENT_SECRET and AZURE_CLIENT_ID values are generated.
The Service Principal is added to the Local RBAC of the Azure Managed HSM. The Service Principal is assigned the Managed HSM Crypto User role.
If you have the Azure CLI installed, then you can perform this operation with the help of the following command.
az keyvault role assignment create --hsm-name [NAME of key vault] --role "Managed HSM Crypto User" --assignee [ID of service principal] --scope /
System Managed Identity
Some Azure resources, such as virtual machines, allow you to enable a System Managed Identity directly on the resource. The System Managed Identity exists only as long as the underlying resource remains active. The name of the System Managed Identity is the same as the Azure resource it’s created for.
For more information about enabling the system managed identity, refer to Managed identities for Azure resources documentation.
The System Managed Identity is added to the Local RBAC of the Azure Managed HSM. The System Managed Identity is assigned the Managed HSM Crypto User role.
If you have the Azure CLI installed, then you can perform this operation with help of the following command.
az keyvault role assignment create --hsm-name [NAME of key vault] --role "Managed HSM Crypto User" --assignee [ID of system managed identity] --scope /
Configuring Connection with Azure Key Vault Managed HSM
To configure connection with Azure Key Vault Managed HSM:
On the ESA Web UI, navigate to Key Management > Key Stores.
The Key Stores screen appears.
Click New Key Store.
The Create New Key Store screen appears.
In the Key Store Information section, enter the following details.
- Name: Type a unique name for Azure KMS. For example, Azure_KMS. The name that you type will update the Key Store installation path field.
- Type: Select Azure Key Vault Managed HSM.
In the Azure Key Vault Managed HSM details section, specify the URI of the Azure Vault in the Azure Vault URI field.
For example, specifyhttps://<Vault_Name>.managedhsm.azure.netas the URI.In the Key Store files and environment variables > Key Store environment variables section, click Add environment variable.
The Add Key Store environment variable dialog box appears.Enter the following details, and then click Save:
- Environment variable name: Specify the environment variable name for the Azure KMS. For example, specify the following entries:
- AZURE_TENANT_ID
- AZURE_SUBSCRIPTION_ID
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- Environment variable value: Specify the value for the corresponding environment variable.
If you want to mask the value of the variable in the UI, then click the Sensitive toggle to the on position. This ensures that the variable value is hidden while typing and is replaced with asterisks of a fixed-length in the list of environment variables.
- Environment variable name: Specify the environment variable name for the Azure KMS. For example, specify the following entries:
Click Save.
The Key Store saved successfully message appears.Click Test to test the Key Store connection.
The Test Key Store Connection dialog box appears.Click OK to close the Test Key Store Connection dialog box.
Click Set As Active to activate the Key Store.
The Azure Key Store is activated successfully.
Verify that the master key is generated successfully by the Azure Key Store by navigating to Key Management > Master Keys.
Feedback
Was this page helpful?