Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Managing Azure Resources

Managing Azure Keys

search

Please Note:

Managing Azure Keys

This section describes how to manage Azure keys on the CCKM. Before proceeding, you must have an Azure key vault added to the CCKM. Refer to Managing Azure Vaults for details.

Adding Azure Keys

This section describes about the different types of keys and how to create/use these keys. The CCKM allows you to:

Uploading New Local Keys

To create a new local Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click Add Key. The Select Material Origin screen of the Add Azure Key wizard is displayed.

Select Material Origin

  1. Select Upload New Local Key. The CipherTrust Manager will create a new key material locally.

  2. Click Next. The Create CipherTrust Key screen is displayed.

** Create CipherTrust Key**

  1. Enter a Key Name.

  2. Select the Key Size from the available options. The key size can be:

    • 2048

    • 3072

    • 4096

  3. Click Create Key next to the Key Name field. A CipherTrust key is created and displayed on the screen.

  4. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select the desired Vault.

  2. Enter a user-friendly alias as the Key Name. This helps in uniquely identify a key.

  3. Select Key Attributes. The Key Attributes section contains the following details:

  4. Select the Enable Key check-box.

  5. Select Key Operations from the available options. The supported operations are:

    • Encrypt

    • Decrypt

    • Sign

    • Verify

    • Wrap Key

    • Unwrap Key

  6. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  7. Click Save.

A message Azure Key successfully created is displayed on the screen. The newly created key is displayed in the list of Azure keys.

The origin of the key is CCKM.

Set Activation Date

To configure the activation date:

  1. Select the Set Activation Date check-box.

  2. From the on-screen calendar, select the date and time to activate the key.

Set Expiration Date

To configure the expiration date:

  1. Select the Set Expiration Date check-box.

  2. From the on-screen calendar, select the key expiration date and time.

Creating Azure Native Keys

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click Add Key. The Select Material Origin screen of the Add Azure Key wizard is displayed.

Select Material Origin

  1. Select Create Azure Native Key. The Azure will create a native key material.

  2. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select the desired Vault.

  2. Enter a user-friendly alias as the Key name. This helps in uniquely identify a key.

  3. From the Key Type drop-down list, select the type of the key. The available key types are:

    • RSA

    • Elliptic Curve

  4. If the key type is RSA, select Size from the following options: 2048, 3072, and 4096.

    If the key type is Elliptic Curve, select Curve from the following options: P-256, P-384, P-521, and SECP256K1.

  5. Select Key Attributes. The Key Attributes section contains the following details:

  6. Select the Enable Key check-box.

  7. Select Key Operations from the available options.

    If the Key Type is RSA, following operations are supported:

    • Encrypt

    • Decrypt

    • Sign

    • Verify

    • Wrap Key

    • Unwrap Key

    If the Key Type is Elliptic Curve, following operations are supported:

    • Sign

    • Verify

  8. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  9. Click Save.

A message Azure Key successfully created is displayed on the screen. The newly created key is displayed in the list of Azure keys.

The origin of the key is Native.

Set Activation Date

To configure the activation date:

  1. Select the Set Activation Date check-box.

  2. From the on-screen calendar, select the date and time to activate the key.

Set Expiration Date

To configure the expiration date:

  1. Select the Set Expiration Date check-box.

  2. From the on-screen calendar, select the key expiration date and time.

Uploading Existing Local Keys

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click Add Key. The Select Material Origin screen of the Add Azure Key wizard is displayed.

Select Material Origin

  1. Select Upload Existing Local Key. The already existing CipherTrust key material will be used.

  2. Click Next. The Select CipherTrust Key screen is displayed.

Select CipherTrust Key

  1. Select an existing CipherTrust key from the Key Name drop-down list.

  2. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select the desired Vault.

  2. Enter a user-friendly alias as the Key Name. This helps in uniquely identify a key.

  3. Select Key Attributes. The Key Attributes section contains the following details:

  4. Select the Enable Key check-box.

  5. Select Key Operations from the available options. The available options are:

    • Encrypt

    • Decrypt

    • Sign

    • Verify

    • Wrap Key

    • Unwrap Key

  6. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  7. Click Save.

A message Azure Key successfully created is displayed on the screen. The newly created key is displayed in the list of Azure keys.

The origin of the key is CCKM.

Set Activation Date

To configure the activation date:

  • Select the Set Activation Date check-box.

  • From the on-screen calendar, select the date and time to activate the key.

Set Expiration Date

To configure the expiration date:

  • Select the Set Expiration Date check-box.

  • From the on-screen calendar, select the key expiration date and time.

Viewing Azure Keys

To view an Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed. The Azure Keys page displays following details:

    FieldDescription
    Key NameUnique, user-friendly alias of the key. This is useful in searching for specific keys.
    Current VersionCurrent version of the key.
    Key VaultName of the Azure key vault.
    RegionAzure region where the key is created.
    StatusState of the key. The status can be:
    • Available
    • Soft Deleted
    • Deleted
    AlgorithmName of the algorithm. Supported algorithms are:
    • EC
    • RSA
    • EC-HSM
    • RSA HSM
    OriginSource of the key material. The origin of the key can be:
    CCKM: Key material is created on CCKM.
    Native: Key material is created on the Azure cloud.
    External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.
    CloudName of the cloud. Supported clouds are:
    • Azure Cloud
    • Azure China Cloud
    • Azure German Cloud
    • Azure US Government
    Creation DateTime when the key is created.

Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:

  • Any cloud permissions on the keys are changed. The keys are no longer accessible from the Azure connection.

  • Connection is changed in KMS. The new connection does not have permissions to access the keys.

Editing Azure Keys

To view or edit an Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click View/Edit.

  4. Configure the KEY SCHEDULES. Refer to KEY SCHEDULES for details.

KEY SCHEDULES

To configure key schedules:

  1. In the KEY SCHEDULES section, select/enter the following details:

    • From the Select Rotation Schedule drop-down list, select a rotation schedule.

    • In the Rotation Settings section, select/enter the following details:

      1. Key origin: Select the key origin from the available options. The key origin can be CipherTrust or Native (Azure).

      2. Key Type: Select the key type. If the key origin is CipherTrust, supported key type is RSA. If the key origin is Native, supported key types are RSA and EC.

      3. If the key type is RSA, select Key Size from the available options.

      4. If the key origin is native and key type is EC, select Elliptical Curve Name from the available options.

      5. Select Enabled if you want to enable the rotated key.

  2. Click Update.

A message Key schedule updated successfully is displayed on the screen.

Rotating Keys (Add Version)

To rotate Azure keys, CCKM Users require Add Key and Upload Key permissions.

To rotate a key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Rotate Now (Add Version).

  4. On the Add New Version screen, Select Key Material Origin. The CCKM allows you to use any of the following key material origin:

Uploading New Local Keys

  1. On the Select Material Origin screen of the Add New Version wizard, select Upload New Local Key. The CipherTrust Manager will create a new key material locally.

  2. Click Next. The Create CipherTrust Key screen is displayed.

** Create CipherTrust Key**

  1. Enter a Key name.

  2. Select the Key Size from the available options. The key size can be:

    • 2048

    • 3072

    • 4096

  3. Click Create Key next to the Key Name field. A CipherTrust key is created and displayed on the screen.

  4. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select Key Attributes. The Key Attributes section contains the following details:

  2. Select the Enable Key check-box.

  3. Select Key Operations from the available options. The Supported operations are:

    • Encrypt

    • Decrypt

    • Sign

    • Verify

    • Wrap Key

    • Unwrap Key

  4. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  5. Click Save.

A message Azure Key successfully rotated is displayed on the screen. Navigate to Cloud Keys > Azure > View/Edit > Versions to view the versions of the rotated Azure key.

Set Activation Date

To configure the activation date:

  1. Select the Set Activation Date check-box.

  2. From the on-screen calendar, select the date and time to activate the key.

Set Expiration Date

To configure the expiration date:

  1. Select the Set Expiration Date check-box.

  2. From the on-screen calendar, select the key expiration date and time.

Creating Azure Native Keys

  1. On the Select Material Origin screen of the Add New Version wizard, select Create Azure Native Key. The Azure will create a native key material.

  2. Click Next. The Add Lables screen is displayed.

Add Labels

  1. From the Key Type drop-down list, select the type of the key. The available key types are:

    • RSA

    • Elliptic Curve

  2. If the key type is RSA, select Size from the following options: 2048, 3072, and 4096.

    If the key type is Elliptic Curve, select Curve from the following options: P-256, P-384, P-521, and SECP256K1.

  3. Select Key Attributes. The Key Attributes section contains the following details:

  4. Select the Enable Key check-box.

  5. Select Key Operations from the available options.

    If the Key Type is RSA, following operations are supported:

    • Encrypt

    • Decrypt

    • Sign

    • Verify

    • Wrap Key

    • Unwrap Key

    If the Key Type is Elliptic Curve, following operations are supported:

    • Sign

    • Verify

  6. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  7. Click Save.

A message Azure Key successfully rotated is displayed on the screen. Navigate to Cloud Keys > Azure > View/Edit > Versions to view the versions of the rotated Azure key.

Set Activation Date

To configure the activation date:

  1. Select the Set Activation Date check-box.

  2. From the on-screen calendar, select the date and time to activate the key.

Set Expiration Date

To configure the expiration date:

  1. Select the Set Expiration Date check-box.

  2. From the on-screen calendar, select the key expiration date and time.

Uploading Existing Local Keys

  1. On the Select Material Origin screen of the Add New Version wizard, select Upload Existing Local Key. The already existing CipherTrust key material will be used.

  2. Click Next. The Select CipherTrust Key screen is displayed.

Select CipherTrust Key

  1. Select an existing CipherTrust key from the Key Name drop-down list.

  2. Click Next. The Add Labels screen is displayed.

Add Labels

  1. Select Key Attributes. The Key Attributes section contains the following details:

  2. Select the Enable Key check-box.

  3. Select Key Operations from the available options. The available options are:

    • Encrypt

    • Decrypt

    • Sign

    • Verify

    • Wrap Key

    • Unwrap Key

  4. Enter Tags. A tag is a label assigned to the key, which consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

    3. Click the + button.

    Similarly, you can add more tags.

  5. Click Save.

A message Azure Key successfully rotated is displayed on the screen. Navigate to Cloud Keys > Azure > View/Edit > Versions to view the versions of the rotated Azure key.

Set Activation Date

To configure the activation date:

  1. Select the Set Activation Date check-box.

  2. From the on-screen calendar, select the date and time to activate the key.

Set Expiration Date

To configure the expiration date:

  1. Select the Set Expiration Date check-box.

  2. From the on-screen calendar, select the key expiration date and time.

Deleting Azure Keys

Non-soft-delete keys can be deleted directly from the Azure vaults using CCKM.

To delete an Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Delete.

  4. On the Confirm Delete screen, click Delete.

A confirmation message is displayed on the screen. The key status changes to DELETED.

Restoring Backup

Note

Restoration of keys among cross-region vaults is not allowed.

To restore an Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Restore Backup.

  4. On the Confirm Restore Key screen, click Restore Key.

A message Key <key name> restored is displayed on the screen. The key status changes to AVAILABLE.

Deleting Backup

Deleting Backup permanently removes backup of a deleted Azure key from the CCKM.

This operation can be performed only on the keys with DELETED status.

To delete backup of an Azure key from the CCKM:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Delete Backup.

  4. On the Hard Delete Azure Key screen, select the I wish to delete the backup of this key. check-box.

  5. Click Delete Key Backup.

A message Key <key name> backup deleted is displayed on the screen. The backup of the key is permanently deleted from the CCKM.

Soft-Deleting Azure Keys

Soft deleting is the process of deleting Azure keys from the Azure vaults and CCKM. These keys still exist on the CCKM and in the Azure vaults. The soft-deleted keys can be recovered.

Note

This operation can be performed only on the Azure keys residing in the soft-enabled key vaults.

To soft-delete an Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Soft Delete.

  4. On the Confirm Soft Delete screen, Click Soft Delete.

A message key <key name> soft-deleted is displayed on the screen. The status of the key changes to SOFT-DELETED.

Recovering Soft-Deleted Azure Keys

To recover a soft-deleted Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Recover Soft Delete.

  4. On the Confirm Recover Key screen, Click Recover Key.

A message Key <key name> recovered from soft-delete is displayed on the screen. The status of the key changes to AVAILABLE.

Purging Azure Keys

Purging is the process of permanently deleting soft-deleted Azure keys from the Azure vaults. However, backup of the purged key can be restored on the CCKM. If you wish to restore backup of the purged key, follow the steps mentioned in the Restoring Backup section.

Note

This operation can be performed only on the soft-deleted Azure keys residing in the soft-enabled key vaults.

To purge an Azure key:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.

  3. Click the overflow icon (ellipsis) corresponding to the desired alias and click Purge.

  4. On the Purge Azure Key screen, select the I wish to purge this key. check-box.

  5. Click Purge Key.

A message key <key name> hard deleted is displayed on the screen. The status of the key changes to DELETED.

On this page