Key Broker for Azure Service
The Key Broker for Azure service is a Data Protection on Demand service offering. It generates high-entropy keys and securely imports them into the user's Microsoft Azure Key Vault where the keys can be used to enhance data protection and compliance, for example using Azure Information Protection to encrypt Office 365 documents.
Using Azure Key Vault to manage keys requires an Azure subscription. To use an HSM-protected key in Azure Key Vault, you must use the Azure Key Vault Premium service tier.
We recommend reviewing the BYOK details for Azure Information Protection to familiarize yourself with how to use Bring Your Own Key to protect your data using Key Vaults.
This guide describes how to configure and use the DPoD Key Broker for Azure service. It contains the following sections:
- Creating a DPoD Key Broker for Azure Service
- Generating a key and importing it to Azure Key Vault
- Deleting a Key Broker for Azure Service
Service details for the Key Broker for Azure service are covered in the section Key Broker for Azure Service Details
This section summarizes system requirements to use the Key Broker for Azure service.
DPoD is a cloud based service and requires an internet connection to operate. DPoD communicates over HTTPS, as a result communications with DPoD require access to outgoing port 443 and DNS services.
Accessing the Key Broker for Azure service requires an active internet connection. The following browsers are supported:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
Before beginning the Key Broker for Azure service deployment, be aware of the following requirements:
DPoD Application Owner Account
You need a DPoD application owner account to create and manage a Key Broker for Azure service. If you do not have application owner level access, please ask your tenant administrator for help.
Key Broker for Azure tile access
If the Key Broker Azure service tile is not visible on your DPoD platform under "Add New Service", please contact your service provider, or the Thales DPoD customer support team to activate the service.
Microsoft Azure Account
To use the Key Broker for Azure service, you will need an active Microsoft "organizational account" (an account that is associated with an Azure Active Directory, in short "AAD") with the following permissions:
- access to your Microsoft Azure subscription (at minimum with a "Contributor" role)
- access to Azure Managed Applications
- ability to create/manage Azure Key Vaults
- ability to create/manage keys inside Key Vaults
We recommend you create a Key Vault using the Microsoft Azure portal to verify your configuration and setup before attempting to deploy the Key Broker for Azure Service through your DPoD tenant.
For more information about creating an "organizational account" see the section Creating an Azure organizational account.
Visit Microsoft Azure for more information about account types, pricing, and managing subscriptions.