Generating a Key and Importing it to Azure Key Vault
This section describes how to generate a key in the Key Broker for Azure service. Generating a key will automatically import the key into an Azure Key Vault. As part of this guide, we will verify that the key is successfully stored in the Azure Key Vault.
Generate a key in the Key Broker for Azure Service
If you haven't already, log into DPoD with an account with application owner privileges.
Under My Services, click on the name of the Key Broker for Azure service (with "Service Type" of "Azure").
Click the Generate Key button above the Keys table.
After a short wait, a new key is generated and added into the Keys table. To find it, look for the current time stamp in the "Created At" column.
Verify that the generated key is successfully imported into Azure Key Vault
In DPoD Key Broker for Azure service details page, there are several pieces of information that refer to Azure:
- Azure User ID
- Azure Resource Group
- Azure Key Vault
- Azure Key Identifier (a URL in the Keys table, for each key)
Make note of the above pieces of information from the DPoD Key Broker for Azure service page. See the Key Broker for Azure Service Details page for more information about accessing these details.
For the rest of the document, we refer to the DPoD Key Broker for Azure service as the "DPoD service".
Log in to the Azure Portal using the Azure User ID associated with the DPoD service.
In the Azure Portal, navigate to the Resource group associated with the DPoD service.
You should now see the Azure Resource Group page with all the Azure resources listed.
Open the Key Vault used by the DPoD service based on the previously noted Azure Key Vault name.
Click Keys in the Key Vault menu.
You should see the list of keys stored in that Key Vault. If you created a new Key Vault as part of the DPoD service creation, you should only see keys generated by that DPoD service. If you selected a previously existing Key Vault for the DPoD service, you will see keys generated by that DPoD service along with other keys.
You can identify keys generated by a DPoD service, because their name will start with the letters "DPOD".
The Azure Key Name is not displayed separately on the DPoD service page, but you can find it as part of the Azure Key Identifier. The Azure Key Name is the string that follows the
https://...vault.azure.net/keys/, before the next
/ character. As mentioned above, it starts with
DPOD. Once you found the Azure Key Name, click it on Azure Portal Key Vault Keys page.
You should now see the Key Versions page.
The Azure Key Version can also be found inside the DPoD Azure Key Identifier. It is the last segment following the Azure Key Name, after the last
/ character. Initially there will be only one version of the key. Once you found the Azure Key Version, click it on the Azure Portal Key Vault Key Versions page.
Now you should see the Key Versions page.
Find the Key Identifier and compare it with the one you made note of in the first step of this process.
The DPoD Azure Key Identifier and Key Identifier from the Azure Portal should match.
After configuring the Azure key vault to use the Key Broker for Azure Service, you can use the powershell to access the Azure Resource Group Key Vault and manage or use your keys. For more information about proceeding with the Key Broker for Azure Service keys, refer to the Azure Documentation for your use case. In additional, refer to the following resources for more information about activating the key for your use case: