Your suggested change has been received. Thank you.


Suggest A Change….


CipherTrust Key Management Services

Key Broker for Azure Service


Key Broker for Azure Service

Key Broker for Azure Service


The Key Broker for Azure service is no longer available for provisioning. Improved key broker abilities are available through the CipherTrust Cloud Key Manager (CCKM), part of the CipherTrust Data Security Platform as a Service (CDSPaaS) tile.

See the End-of-Sale Announcement and the CDSPaaS Service Documentation for more information.

The Key Broker for Azure service is a Data Protection on Demand service offering. It generates high-entropy keys and securely imports them into the user's Microsoft Azure Key Vault where the keys can be used to enhance data protection and compliance, for example using Azure Information Protection to encrypt Office 365 documents.


Using Azure Key Vault to manage keys requires an Azure subscription. To use an HSM-protected key in Azure Key Vault, you must use the Azure Key Vault Premium service tier.

We recommend reviewing the BYOK details for Azure Information Protection to familiarize yourself with how to use Bring Your Own Key to protect your data using Key Vaults.

This guide describes how to configure and use the DPoD Key Broker for Azure service. It contains the following sections:

Service details for the Key Broker for Azure service are covered in the section Key Broker for Azure Service Details

System Requirements

This section summarizes system requirements to use the Key Broker for Azure service.

DPoD is a cloud based service and requires an internet connection to operate. DPoD communicates over HTTPS, as a result communications with DPoD require access to outgoing port 443 and DNS services.

Accessing the Key Broker for Azure service requires an active internet connection. The following browsers are supported:

  • Google Chrome
  • Mozilla Firefox
  • Microsoft Edge


Before beginning the Key Broker for Azure service deployment, be aware of the following requirements:

DPoD Application Owner Account

You need a DPoD application owner account to create and manage a Key Broker for Azure service. If you do not have application owner level access, please ask your tenant administrator for help.

Key Broker for Azure tile access

If the Key Broker Azure service tile is not visible on your DPoD platform under "Add Service", please contact your service provider, or the Thales DPoD customer support team to activate the service.

Microsoft Azure Account

To use the Key Broker for Azure service, you will need an active Microsoft "organizational account" (an account that is associated with an Azure Active Directory, in short "AAD") with the following permissions:

  • access to your Microsoft Azure subscription (at minimum with a "Contributor" role)
  • access to Azure Managed Applications
  • ability to create/manage Azure Key Vaults
  • ability to create/manage keys inside Key Vaults


We recommend you create a Key Vault using the Microsoft Azure portal to verify your configuration and setup before attempting to deploy the Key Broker for Azure Service through your DPoD tenant.

For more information about creating an "organizational account" see the section Creating an Azure organizational account.

Visit Microsoft Azure for more information about account types, pricing, and managing Azure subscriptions.