Managing Azure Keys
This section describes how to manage Azure keys on CCKM. Before proceeding, you must have an Azure key vault added to the CCKM. Refer to Managing Azure Vaults for details.
Adding Azure Keys
CCKM provides two methods to add Azure keys:
Creating/Uploading New Key Material: Add key material by creating and uploading new source key or creating new native key.
Cloning Existing Key Material: Clone key material from an existing key to create a new key.
Creating/Uploading New Key Material
To add an Azure key by creating/uploading new key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click Add Key. The Select Material Origin screen of the Add Azure Key wizard is displayed.
Under Select Method, select Create/Upload New Key Material. The Select Source section appears. Depending on your requirements, select from the following:
Uploading CipherTrust (External) Key Material
Upload the key material of an external CipherTrust Manager key using the CipherTrust Manager to configure the source key.
Select Material Origin
Select CipherTrust (External).
Click Next. The Configure Source Key screen is displayed.
Configure CipherTrust (External) Key
Select Domain from the drop-down list.
Enter a Key Name.
Select the Key Size from the available options. The supported sizes are 2048, 3072, and 4096.
- Click Next.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key. By default, the Key Name specified on the previous screen is populated.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For vaults inside an Azure Managed HSM pool, the key type is RSA HSM.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Uploading CipherTrust (Local) Key Material
Upload the local key material using CipherTrust to configure source key.
Select Material Origin
Select CipherTrust (Local).
Click Next. The Configure Source Key screen is displayed.
Configure CipherTrust (Local) Key
Enter a Key Name.
Select the Key Size from the available options. The supported sizes are 2048, 3072, and 4096.
Click Next.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key. By default, the Key Name specified on the previous screen is populated.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For vaults inside an Azure Managed HSM pool, the key type is RSA HSM.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Creating Microsoft Azure (Native) Key Material
Create the Azure key material directly using the native Microsoft Azure application.
Select Material Origin
Select Microsoft Azure (Native).
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type can be RSA or Elliptic Curve.
For vaults inside an Azure Managed HSM pool, the key type can be RSA HSM or Elliptic Curve HSM.
For a premium vault, the key type can be Elliptic Curve, Elliptic Curve HSM, RSA, or RSA HSM.
(Applicable to RSA or RSA HSM key types) Select Size from the following options: 2048, 3072, and 4096.
(Applicable to Elliptic Curve or Elliptic Curve HSM key types) Select Curve from the following options: P-256, P-384, P-521, and SECP256K1.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
Select the Key Attributes.
If the Key Type is RSA or RSA HSM, the supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
If the Key Type is Elliptic Curve or Elliptic Curve HSM, the supported attributes are:
Sign
Verify
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, NATIVE KEY and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the NATIVE KEY and KEY SCHEDULES section and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the NATIVE KEY and KEY SCHEDULES sections becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is Native
.
Uploading Luna HSM Key Material
Upload the key material using Luna HSM to configure source key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Select Material Origin
Select Luna HSM.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Enter a Luna HSM Key Label.
Select the Partition ID of the desired Luna HSM.
Select the key Mechanism. The supported key mechanisms are:
CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
CKM_RSA_X9_31_KEY_PAIR_GEN
CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
CKM_RSA_PKCS_KEY_PAIR_GEN
Select the Key Size from the available options. The supported sizes are 2048, 3072, and 4096.
Select the Key Attributes. The options are:
Encrypt, Decrypt, Wrap, Unwrap
Sign, Verify, Derive
Click Next.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key. By default, the Key Name specified on the previous screen is populated.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Uploading Vormetric DSM Key Material
Upload the key material using Vormetric DSM to configure source key.
Select Material Origin
Select Vormetric DSM.
Click Next. The Configure Source Key screen is displayed.
Configure Source Key
Enter a DSM Key Name.
(Optional) Provide a basic Description of the key.
Select the desired DSM Domain.
(Optional) Set the key expiration date. Select the Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
Select the key Algorithm. The supported algorithms are:
RSA-4048
RSA-3072
RSA-4096
Click Next.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key. By default, the Key Name specified on the previous screen is populated.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections becomes Complete and the Key ID links are displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Cloning Existing Key Material
To add a new Azure key by cloning existing key material:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click Add Key. The Select Material Origin screen of the Add Azure Key wizard is displayed.
Under Select Method, select Clone Existing Key Material. The Select Source section appears. Depending on your requirements, select from the following:
Cloning CipherTrust (External) Key Material
Upload the key material of an external CipherTrust Manager key using CipherTrust to configure source key.
Select Material Origin
Select CipherTrust (External).
Click Next. The Select CipherTrust Key screen is displayed.
Select CipherTrust (External) Key
Select a Domain from the drop-down list. This field displays the domains of the external CipherTrust Manager.
Select the desired Key Size. The options are 2048, 3072, and 4096.
Select a CipherTrust (External) Key from the list. The list displays the keys of the selected domain of the external CipherTrust Manager.
Click Next. The Configure Destination (Azure) Key screen is displayed.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY and KEY SCHEDULES section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Cloning CipherTrust (Local) Key Material
Upload the local key material using CipherTrust to configure source key.
Select Material Origin
Select CipherTrust (Local).
Click Next. The Select CipherTrust Key screen is displayed.
Select CipherTrust (Local) Key
Select the desired Key Size. The options are 2048, 3072, and 4096.
Select a CipherTrust (Local) Key from the list. The list displays the keys of the selected domain of the external CipherTrust Manager.
Click Next. The Configure Destination (Azure) Key screen is displayed.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY and KEY SCHEDULES section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Cloning Luna HSM Key Material
Upload the key material using Luna HSM to configure source key.
Note
CCKM doesn't support FM-enabled Luna HSM as a key source.
Select Material Origin
Select Luna HSM.
Click Next. The Select Luna HSM Key screen is displayed.
Select Luna HSM Key
Select the desired Key Size. The options are 2048, 3072, and 4096.
Select an HSM Key from the list. The list displays the keys of the selected domain of the external CipherTrust Manager.
Click Next. The Configure Destination (Azure) Key screen is displayed.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next.
The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY and KEY SCHEDULES sections becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Cloning Vormetric DSM Key Material
Upload the key material using Vormetric DSM to configure source key.
Select Material Origin
Select Vormetric DSM.
Click Next. The Select Vormetric DSM Key screen is displayed.
Select Vormetric DSM Key
Select the desired Key Size. The options are 2048, 3072, and 4096.
Select an DSM Key from the list. The list displays the keys of the selected domain of the external CipherTrust Manager.
Click Next. The Configure Destination (Azure) Key screen is displayed.
Configure Destination (Azure) Key
Enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key.
Select the desired Vault from the drop-down list. The list shows the available Azure key vaults with their types specified in parenthesis. The Azure key vault types are Standard, Premium, and ManagedHSM.
Select the Key Type.
For a standard vault, the key type is RSA.
For a premium vault, the key type can be RSA or RSA HSM.
(Optional) Set the key activation and expiration dates.
Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the key.
Select the Set Expiration Date check box and from the on-screen calendar, select the key expiration date and time.
(Optional) Select the Enable Key check box.
(Optional, applicable to premium Azure vaults and vaults stored in an Azure Managed HSM pool) Select the Exportable check box to enable Confidential Computing.
When you select Exportable, the Release Policy text box is displayed. In this text box, specify or paste the release policy in the JSON format. A release policy specifies the policy rules under which the key can be exported. The release policy must be specified when creating the first version of an exportable key.
A sample release policy is displayed below.
{ "anyOf": [ { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus.eus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedwus.wus.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedneu.neu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedweu.weu.attest.azure.net/" }, { "allOf": [ { "claim": "x-ms-attestation-type", "equals": "sevsnpvm" }, { "claim": "x-ms-compliance-status", "equals": "azure-compliant-cvm" } ], "authority": "https://sharedeus2.eus2.attest.azure.net/" } ], "version": "1.0.0" }
Select the Key Attributes. The supported attributes are:
Encrypt, Decrypt, Sign
Verify, Wrap Key, Unwrap Key
(Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.
To add a tag:
Specify a tag name.
Specify the tag value.
CCKM allows the following characters in tag values:
Alphanumeric characters
Special characters ** ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , : ; . ' " _ **
Click the + button.
Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.
Click Next. The Add to Schedule screen is displayed.
Add to Schedule
Select Rotation Schedule.
Select the Key Origin from the available options. The key origin can be:
CipherTrust: CipherTrust Manager.
Native (Azure): Native Microsoft Azure application. Also select the Key Type - RSA or EC.
Luna: HSM Luna. Also select a Partition.
DSM: Vormetric Data Security Manager. Also select a Domain.
Select a Key Size.
Note
When the key origin is native Azure, select a curve for Elliptic Curve or Elliptic Curve HSM key types.
(Optional) Select the Enabled check box to enable the key.
Click Next.
The Review and Add screen is displayed.
Review and Add
This screen shows the key details that you have provided. These details are divided into MATERIAL ORIGIN, SOURCE KEY, DESTINATION KEY, and KEY SCHEDULES sections.
Before adding the key, review all details. After the key is added, certain features will no longer be editable.
Review the key details displayed on the screen.
If details are incorrect or you want to make any changes, click Edit next to the SOURCE KEY and DESTINATION KEY sections and update details. Alternatively, click Back and make changes, as appropriate.
Click Add Key.
The key creation starts. A Create Key In Progress message is displayed on the screen. Leave the window open until the process is completed.
When the status next to the DESTINATION KEY section becomes Complete and the Key ID link is displayed, the key is created successfully.
Click Close. The Add Azure Key wizard is closed.
The newly created key is displayed in the list of Azure keys. The origin of the key is CCKM
.
Viewing Azure Keys
Search for Azure keys by Key Name, Key Vault, or Tags.
CCKM does not allow searching for keys:
By tag values using colon (:)
By "key:value" pair using these characters:
\ , : " %
To view an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed. The Azure Keys page displays the following details:
Field Description Key Name Unique, user-friendly alias of the key. This is useful in searching for specific keys. Current Version Current version of the key. Click the expand icon () corresponding to a key to view its versions. Key Vault Name of the Azure key vault. Key State State of the key. The status can be Enabled or Disabled. Click the filter icon () to view the list of Enabled or Disabled keys. Region Azure region where the key is created. Click the filter icon () to view the list of supported Azure regions. Status State of the key. The status can be:
• Available
• Soft Deleted
• DeletedAlgorithm Name of the algorithm. Supported algorithms are:
• EC
• RSA
• EC-HSM
• RSA HSMOrigin Source of the key material. The origin of the key can be:
• CCKM: Key material is created on CCKM.
• Native: Key material is created on the cloud.
• External (Unknown): Source of the key material is unknown. It is different than CCKM and the native cloud.Cloud Name of the cloud. Supported clouds are:
• Azure Cloud
• Azure China Cloud
• Azure German Cloud
• Azure US Government
• Azure StackBackup State of the backup of the key. If the backup of the key exists, the backup icon becomes visible. Creation Date Time when the key is created.
Sometimes, you might notice certain keys are displayed as grayed out. This happens when the keys are no longer accessible. For example, when:
Any cloud permissions on the keys are changed. The keys are no longer accessible from the Azure connection.
Connection is changed in KMS. The new connection does not have permissions to access the keys.
Editing Azure Keys
To view or edit an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click View/Edit.
Configure the KEY SCHEDULES and manage the BACKUPS. Refer to KEY SCHEDULES and BACKUPS for details.
KEY SCHEDULES
To configure the key schedules, go to the KEY SCHEDULES section and select/enter the following details:
From the Select Rotation Schedule drop-down list, select a rotation schedule.
Select the key origin. The available options are CipherTrust (External), CipherTrust (Local), Native (Azure), Luna, and DSM.
Click the desired tab to view the instructions.
Select the Key Type. The available options are RSA and RSA-HSM.
Select the Key Size. The available options are 2048, 3072, and 4096.
Select the Key Type. The available options are RSA, EC, RSA-HSM, and EC-HSM.
select the Elliptical Curve Name. The available options are P-56, P-384, P-521, and SECP256K1.
Select the Key Type. The available options are RSA and RSA-HSM.
Select the Key Size. The available options are 2048, 3072, and 4096.
Select the Partition.
Select the Key Type. The available options are RSA and RSA-HSM.
Select the Key Size. The available options are 2048, 3072, and 4096.
Select the Domain.
Select the Key Type. The available options are RSA and RSA-HSM.
Select the Key Size. The available options are 2048, 3072, and 4096.
Select Enabled if you want to enable the rotated key.
Click Update.
A message Key schedule updated successfully is displayed on the screen.
To select the Key backup schedule.
From the Select Backup Schedule drop-down list, select a backup schedule.
Click Update.
BACKUPS
This section allows you to perform the following operations.
View all the backups of the Azure key.
Restore a service backup.
Retrieve the latest service backup date
Backup the Azure key.
Restore the backups of the Azure key.
Delete the backups of the Azure key.
Delete multiple backups of the Azure key.
Delete multiple backups of the Azure key by date.
To restore the service backup.
Click the overflow icon () corresponding to the Service Backup and click Restore Backup. The Restore Backup dialog box is displayed.
Click Restore Backup.
To view the latest backup date of the Service, click the Refresh icon to the left the Service Backup.
To backup the Azure key.
Click Backup Now. The Backup Now dialog box is displayed.
(Optional) Enter the Backup Name.
(Optional) Enter the Description.
Note
The CCKM Users should have Add Key or Upload Key permissions. To add the permission in the vault, refer to Managing User Permissions on Azure Vaults.
Backup Now is the manual creation of a cloud key‘s backup.
Backup Limit:
The default backup limit is 30.
You can change the limit at the domain level using the Updating CCKM Settings API. The limit will be applicable to all the vaults in the domain.
You can change the limit at the vault level using the Adding Azure Vaults or Updating Azure Vaults APIs. The limit will apply to that particular vault.
If you have changed the limit at both levels, the changes made at the vault level will be applicable.
If the total Scheduled + Manual Backups exceed the maximum allowance, older backups will automatically be deleted.
To restore the backup of the Azure key.
Click the overflow icon () corresponding to the desired backup and click Restore Backup. The Restore Backup dialog box is displayed.
Click Restore Backup.
To delete the backup of the Azure key.
Click the overflow icon () corresponding to the desired backup and click Delete Backup. The Delete Backup dialog box is displayed.
Click Delete Backup.
To delete multiple backups of the Azure key.
Select the desired backups from the list to delete.
Note
If you want to delete all the backups, select All.
Click Delete Selected. The Delete Backups dialog box is displayed.
Click Delete Backup.
To delete multiple backups of the Azure key by date.
Click Delete Backup by Date. The Delete Backup by Date dialog box is displayed.
Select the date range, From Date and To Date.
Click Delete Backups.
Refreshing Azure Keys
Refreshing is the process of downloading keys created on the Azure key vault to CCKM.
Note
If the key vault of the key has been deleted from the Azure Portal and refreshed on CCKM, the key cannot be refreshed and restored. To refresh and restore the key, create a new key vault on the Azure Portal, in the same region with the same name, and refresh it on CCKM.
Refreshing All Keys
Keys from all key vaults can be refreshed at once. To refresh all the Azure keys:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the Keys tab. The list of available Azure keys is displayed.
Click Refresh. The This may take a while... message is displayed.
Note
Refresh is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh to continue.
A message Refresh started... is displayed on the screen. The refreshed keys are listed on the Cloud Keys > Azure > Keys tab.
To cancel the refresh:
Click Cancel Refresh. The Cancel Refresh? message is displayed. The action will terminate all currently active refresh operations. All progress will be lost and this action cannot be undone. Do you want to proceed to cancel refresh or cancel this action?
Click Cancel Refresh.
A message Canceled Refresh is displayed on the screen.
Refreshing a Desired Key
You can refresh a desired key from the list. To refresh an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the overflow icon () corresponding to the desired alias and click Refresh.
A message Key refreshed successfully. is displayed on the screen.
Disabling Keys and Versions
You can disable the Azure keys and key versions.
Disabling Keys
If required, you can disable an enabled key. A disabled key cannot operate on data. To disable an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the overflow icon () corresponding to the desired key and click Disable. The Confirm Disable Key dialog box is displayed.
Click Disable.
A confirmation message is displayed on the screen. The Key State changes to Disabled
.
Disabling Key Versions
If required, you can disable an enabled version of a key. A disabled version cannot operate on data. To disable an Azure key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Disable. The Confirm Disable Version dialog box is displayed.
Click Disable.
A confirmation message is displayed on the screen. The Key State changes to Disabled
.
Enabling Keys and Versions
You can enable the Azure keys and key versions.
Enabling Keys
If required, you can enable a disabled key. To enable an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the overflow icon () corresponding to the desired key and click Enable. The Confirm Enable Key dialog box is displayed.
Click Enable.
A confirmation message is displayed on the screen. The Key State changes to Enabled
.
Enabling Key Versions
If required, you can enable a disabled version of a key. To enable an Azure key version:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure.
Click the expand icon () to the left of the desired key.
Click the overflow icon () corresponding to the desired version.
Click Enable. The Confirm Enable Version dialog box is displayed.
Click Enable.
A confirmation message is displayed on the screen. The Key State changes to Enabled
.
Rotating Keys (Add Version)
Note
To rotate Azure keys, CCKM Users require Add Key and Upload Key permissions.
To rotate a key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Rotate Now (Add Version). The Add New Version screen is displayed.
Select Key Material Origin. Depending on your requirements, select an appropriate option. Refer to the following sections for details:
A message Azure Key successfully rotated is displayed on the screen. Navigate to Cloud Keys > Azure > View/Edit > Versions to view the versions of the rotated Azure key.
Deleting Azure Keys
Non-soft-delete keys can be deleted directly from the Azure vaults using CCKM.
To delete an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Delete. The Confirm Delete dialog box is displayed.
Click Delete.
A confirmation message is displayed on the screen. The key status changes to DELETED
.
Soft-Deleting Azure Keys
Soft deleting is the process of deleting Azure keys from the Azure vaults and CCKM. These keys still exist on CCKM and in the Azure vaults. The soft-deleted keys can be recovered.
Note
This operation can be performed only on the Azure keys residing in the soft-enabled key vaults.
To soft-delete an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Soft Delete. The Confirm Soft Delete dialog box is displayed.
Click Soft Delete.
A message key <key name> soft-deleted is displayed on the screen. The status of the key changes to SOFT-DELETED
.
Recovering Soft-Deleted Azure Keys
If needed, you can recover a soft-deleted key.
To recover a soft-deleted Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Recover Soft Delete. The Confirm Recover Key dialog box is displayed.
Click Recover Key.
A message Key <key name> recovered from soft-delete. is displayed on the screen. The status of the key changes to AVAILABLE
.
Purging Azure Keys
Purging is the process of permanently deleting soft-deleted Azure keys from the Azure vaults. However, backup of the purged key can be restored on CCKM. If you wish to restore backup of the purged key, follow the steps mentioned in the Restoring Backup section.
Note
This operation can be performed only on the soft-deleted Azure keys residing in the soft-enabled key vaults.
To purge an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Purge. The Purge Azure Key dialog box is displayed.
Select the I wish to purge this key. check box.
Click Purge Key.
Purging a key might take some time. After successful deletion, a message key <key name> hard deleted is displayed on the screen. The status of the key changes to DELETED
.
If needed, you can restore a purged key from its backup. Refer to Restoring Backup for details.
Backing Up Azure Keys
Warning
The Physical and Virtual storage appliances have storage limits. Ensure that you have sufficient storage before enabling scheduled backup.
If you do have sufficient storage, you can extend the storage, refer to Resizing the Virtual Hard Disk After Deployment for details.
To backup an Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Backup Now. The Backup Now dialog box is displayed.
Note
Backup Now is the manual creation of a cloud key‘s backup.
(Optional) Enter the Backup Name.
(Optional) Enter the Description.
Click Backup.
A message Backup created successfully for key <key name> is displayed on the screen.
Restoring Backup
To restore a purged Azure key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Restore Backup. The Confirm Restore Key dialog box is displayed.
Select the desired key vault from the Select Vault drop-down list.
Note
- Restoration of keys among cross-region vaults is not allowed.
Click Restore Key.
A message Key <key name> restored is displayed on the screen. The key is restored to the selected key vault. The key status changes to AVAILABLE
.
Deleting Backup
Deleting a backup permanently removes the backup of a deleted Azure key from CCKM.
Note
This operation can be performed only on keys with a DELETED
status. You can delete or purge keys to change their status to DELETED
.
To delete the backup of an Azure key from CCKM:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired alias and click Delete Backup. The Hard Delete Azure Key dialog box is displayed.
Select the I wish to delete the backup of this key. check box.
Click Delete Key Backup.
A message Key <key name> backup deleted is displayed on the screen. The backup of the key is permanently deleted from CCKM.
Downloading Keys and Versions
Asymmetric RSA/RSA-HSM keys and their older versions with the status AVAILABLE can be downloaded to your local machines. Other keys cannot be downloaded.
Downloading Keys
To download an AVAILABLE asymmetric RSA/RSA-HSM key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the overflow icon () corresponding to the desired key and click Download Key. The key is downloaded.
Downloading Key Versions
To download an older version of an AVAILABLE asymmetric RSA/RSA-HSM key:
Open the Cloud Key Manager application.
In the left pane, click Cloud Keys > Azure. The list of available Azure keys is displayed.
Click the expand icon () corresponding to the desired key. The Older Versions are displayed.
Click the overflow icon () corresponding to the desired key version and click Download Key. The key version is downloaded.
Alternatively, click the key link under the Key Name field to view the key details. Scroll down to the VERSIONS section.
Note
If an exportable Luna HSM key is created on Azure cloud, and the synchronization operation is performed on CCKM, the Exportable field under VERSIONS does not show any value for the key.