This section describes how to create (deploy) a Key Broker for Azure service in the DPoD offering.

You require a DPoD subscriber tenant to provision a CipherTrust Data Security Platform service. See Register a Subscriber Tenant for more information about creating a DPoD subscriber tenant.

Create a Key Broker for Azure Service

1. Log in to your DPoD enterprise tenant as a user with tenant administrator or application owner privileges.

2. Open the Services tab and select the Add Service heading. Navigate the marketplace categories and click Create Service on the service that you would like to provision. If you have not submitted a Service Elections form or previously completed a trial for the service the option will display as Try Service.

3. You are prompted to redirect to the Azure authentication portal. Click Go to Azure.

   The Azure authentication dialog displays.

4. Log in as an Azure user with access to Azure Key Vault.

   You are requested to allow DPoD access to Azure Key Vault.

5. Click the Consent on behalf of your organization check box and click Accept to allow Key Broker for Azure service to access the listed resources. This is required for the service to operate.

6. You are returned to the DPoD "Add Service" wizard. Review the Terms of Service and click Next.

7. On the Configure Service page, enter the required criteria for the service. Click Next.

8. Specify the Azure Resource Group where you want the Key Vault to be placed.

   • If you want to create a new Resource Group in Azure, enable the Create a new group radio button, then enter a name for the Resource Group in the New group name field. From the Select Database Location drop-down select the database region where you want Azure to create the Resource Group in.
   • If you want to use an existing Azure Resource Group, enable the Select an existing group radio button, then from the Select group drop-down select the Resource Group.

   Note

   "Group", in this context, refers to an Azure Resource Group.

9. Enter a postfix for the Key Vault name in the New Key Vault Name field (the Key Vault name will always be prefixed with "dpod-" followed by some random characters, so it does not conflict with any existing Key Vault), then enable the I understand and accept that the creation of a new Key Vault may incur premium costs in my Azure account. check box. Click Next.

10. Review your configuration summary page, and if you are satisfied, click Finish. If you would like to adjust the service configuration click Go Back.

    DPoD initializes provisioning of the service, this may take a few moments. After provisioning completes the service will be visible under the View Services table in DPoD with the Provisioned status. The service details page provides an overview of the service and the associated Azure User ID, Resource Group, and Key Vault. These account details are needed when accessing the keys through the Azure Portal.

    The next step is to generate a key for the Azure key vault. See Generating a Key and Importing it to Azure Key Vault for more information.