Merge pull request #105177 from ktoliver/1678950-b

ShawnJackson · web-flow · commit 1feab46fabb0 · 2020-02-21T18:11:10.000-06:00
edit pass: hsm-protected-keys-vendor-agnostic-byok.md
diff --git a/articles/key-vault/hsm-protected-keys-vendor-agnostic-byok.md b/articles/key-vault/hsm-protected-keys-vendor-agnostic-byok.md
@@ -1,6 +1,6 @@
 ﻿---
 title: How to generate and transfer HSM-protected keys for Azure Key Vault - Azure Key Vault | Microsoft Docs
-description: Use this article to help you plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault. Also known as BYOK or bring your own key.
+description: Use this article to help you plan for, generate, and transfer your own HSM-protected keys to use with Azure Key Vault. Also known as bring your own key (BYOK).
 services: key-vault
 author: amitbapat
 manager: devtiw
@@ -16,107 +16,117 @@ ms.author: ambapat
 # Import HSM-protected keys to Key Vault (preview)
 
 > [!NOTE]
-> This feature is in preview and only available in **East US 2 EUAP** and **Central US EUAP** regions. 
+> This feature is in preview and available only in the Azure regions *East US 2 EUAP* and *Central US EUAP*. 
 
-For added assurance when using Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as *bring your own key*, or BYOK. Azure Key Vault uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.
+For added assurance when you use Azure Key Vault, you can import or generate a key in a hardware security module (HSM); the key will  never leave the HSM boundary. This scenario often is referred to as *bring your own key* (BYOK). Key Vault uses the nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.
 
-Use the information in this topic to help you plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.
+Use the information in this article to help you plan for, generate, and transfer your own HSM-protected keys to use with Azure Key Vault.
 
 > [!NOTE]
 > This functionality is not available for Azure China 21Vianet. 
 > 
-> This import method is only available for [supported HSMs](#supported-hsms). 
+> This import method is available only for [supported HSMs](#supported-hsms). 
 
-For more information about Azure Key Vault, see [What is Azure Key Vault?](key-vault-overview.md)  For a getting started tutorial, which includes creating a key vault for HSM-protected keys, see [What is Azure Key Vault?](key-vault-overview.md).
+For more information, and for a tutorial to get started using Key Vault (including how to create a key vault for HSM-protected keys), see [What is Azure Key Vault?](key-vault-overview.md).
 
 ## Overview
 
-* Generate a key (referred to as Key Exchange Key or KEK) in key vault. This must be an RSA-HSM key with 'import' as the only key operation. Only key vault premium SKU supports RSA-HSM keys.
-* Download the public key of KEK as a .pem file
-* Transfer KEK public key to your offline workstation connected to  on-premise HSM.
-* From your offline workstation, use the BYOK tool provided by your HSM vendor to create a BYOK file. 
-* The target key is encrypted with a KEK, which stays encrypted until it is transferred to the Azure Key Vault HSMs. Only the encrypted version of your key leaves the on-premise HSM.
-* The KEK that is generated inside the Azure Key Vault HSMs and is not exportable. The HSMs enforce that there can be no clear version of the KEK outside the Key Vault HSMs.
-* The KEK must be in the same key vault where the target key is to be imported.
-* When the BYOK file is uploaded to Key Vault, Key Vault HSMs use the KEK private key to decrypt the target key material and import it as an HSM key. This operation happens entirely inside Key Vault HSMs and the target key always remains in the HSM protection boundary.
+Here's an overview of the process. Specific steps to complete are described later in the article.
+
+* In Key Vault, generate a key (referred to as a *Key Exchange Key* (KEK)). The KEK must be an RSA-HSM key that has only the `import` key operation. Only Key Vault Premium SKU supports RSA-HSM keys.
+* Download the KEK public key as a .pem file.
+* Transfer the KEK public key to an offline computer that is connected to an on-premises HSM.
+* In the offline computer, use the BYOK tool provided by your HSM vendor to create a BYOK file. 
+* The target key is encrypted with a KEK, which stays encrypted until it is transferred to the Key Vault HSM. Only the encrypted version of your key leaves the on-premises HSM.
+* A KEK that's generated inside a Key Vault HSM is not exportable. HSMs enforce the rule that no clear version of a KEK exists outside a Key Vault HSM.
+* The KEK must be in the same key vault where the target key will be imported.
+* When the BYOK file is uploaded to Key Vault, a Key Vault HSM uses the KEK private key to decrypt the target key material and import it as an HSM key. This operation happens entirely inside a Key Vault HSM. The target key always remains in the HSM protection boundary.
 
 ## Prerequisites
 
-See the following table for a list of prerequisites for bring your own key (BYOK) for Azure Key Vault.
+The following table lists prerequisites for using BYOK in Azure Key Vault:
 
 | Requirement | More information |
 | --- | --- |
-| A subscription to Azure |To create an Azure Key Vault, you need an Azure subscription: [Sign up for free trial](https://azure.microsoft.com/pricing/free-trial/) |
-| A key vault (Premium SKU) to import HSM-protected keys |For more information about the service tiers and capabilities for Azure Key Vault, see the [Azure Key Vault Pricing](https://azure.microsoft.com/pricing/details/key-vault/) website. |
-| An HSM from supported HSMs list along with BYOK tool and instructions provided by your HSM vendor | You must have access to a Hardware Security Module and basic operational knowledge of your HSMs. See [Supported HSMs](#supported-hsms). |
-| Azure CLI version 2.1.0 or newer | Please see [Install the Azure CLI](/cli/azure/install-azure-cli?view=azure-cli-latest) for more information.|
+| An Azure subscription |To create a key vault in Azure Key Vault, you need an Azure subscription. [Sign up for a free trial](https://azure.microsoft.com/pricing/free-trial/). |
+| A Key Vault Premium SKU to import HSM-protected keys |For more information about the service tiers and capabilities in Azure Key Vault, see [Key Vault Pricing](https://azure.microsoft.com/pricing/details/key-vault/). |
+| An HSM from the supported HSMs list and a BYOK tool and instructions provided by your HSM vendor | You must have permissions for an HSM and basic knowledge of how to use your HSM. See [Supported HSMs](#supported-hsms). |
+| Azure CLI version 2.1.0 or later | See [Install the Azure CLI](/cli/azure/install-azure-cli?view=azure-cli-latest).|
 
 ## Supported HSMs
 
-|HSM Vendor Name|Supported HSM models|Additional details|
+|HSM vendor name|Supported HSM models|More information|
 |---|---|---|
-|Thales|SafeNet Luna HSM 7 family with firmware version 7.3 or newer| [SafeNet Luna BYOK tool and documentation](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=3892db6ddb8fc45005c9143b0b961987&sysparm_article=KB0021016)|
-
+|Thales|SafeNet Luna HSM 7 family with firmware version 7.3 or later| [SafeNet Luna BYOK tool and documentation](https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=3892db6ddb8fc45005c9143b0b961987&sysparm_article=KB0021016)|
 
 > [!NOTE]
-> To import HSM-protected keys from nCipher nShield family of HSMs [Use  legacy BYOK procedure](hsm-protected-keys-legacy.md)
+> To import HSM-protected keys from the nCipher nShield family of HSMs, use the [legacy BYOK procedure](hsm-protected-keys-legacy.md).
 
+## Supported key types
 
-## Generate and transfer your key to Azure Key Vault HSM
+|Key name|Key type|Key size|Origin|Description|
+|---|---|---|---|---|
+|Key Exchange Key (KEK)|RSA| 2,048-bit<br />3,072-bit<br />4,096-bit|Azure Key Vault HSM|An HSM-backed RSA key pair generated in Azure Key Vault|
+|Target key|RSA|2,048-bit<br />3,072-bit<br />4,096-bit|Vendor HSM|The key to be transferred to the Azure Key Vault HSM|
 
-You will use the following steps to generate and transfer your key to an Azure Key Vault HSM:
+## Generate and transfer your key to the Key Vault HSM
+
+To generate and transfer your key to a Key Vault HSM:
 
 * [Step 1: Generate a KEK](#step-1-generate-a-kek)
-* [Step 2: Download KEK public key](#step-2-download-kek-public-key)
+* [Step 2: Download the KEK public key](#step-2-download-the-kek-public-key)
 * [Step 3: Generate and prepare your key for transfer](#step-3-generate-and-prepare-your-key-for-transfer)
 * [Step 4: Transfer your key to Azure Key Vault](#step-4-transfer-your-key-to-azure-key-vault)
 
 ### Step 1: Generate a KEK
 
-The KEK (Key Exchange Key) is an RSA key generated in Key Vault's HSM. This key is used to encrypt the key to be imported (target key).
-
-KEK must be:
-1. an **RSA-HSM** key (2048-bit or 3072-bit or 4096-bit)
-2. generated in the same key vault where you intend to import the target key
-3. created with allowed key operations set to **import**
+A KEK is an RSA key that's generated in a Key Vault HSM. The KEK is used to encrypt the key you want to import (the *target* key).
 
-Use the [az keyvault key create](/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-create) command to create KEK with key operations set to import. Note down the key identifier 'kid' returned from the below command. You'll need it in [Step 3](#step-3-generate-and-prepare-your-key-for-transfer).
+The KEK must be:
+- An RSA-HSM key (2,048-bit; 3,072-bit; or 4,096-bit)
+- Generated in the same key vault where you intend to import the target key
+- Created with allowed key operations set to `import`
 
+Use the [az keyvault key create](/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-create) command to create a KEK that has key operations set to `import`. Record the key identifier (`kid`) that's returned from the following command. (You will use the `kid` value in [Step 3](#step-3-generate-and-prepare-your-key-for-transfer).)
 
 ```azurecli
 az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name ContosoKeyVaultHSM
 ```
 
-### Step 2: Download KEK public key
+### Step 2: Download the KEK public key
 
-Use the [az keyvault key download](/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-download) to download the KEK public key into a .pem file. The target key you import is encrypted using the KEK public key.
+Use [az keyvault key download](/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-download) to download the KEK public key to a .pem file. The target key you import is encrypted by using the KEK public key.
 
 ```azurecli
 az keyvault key download --name KEKforBYOK --vault-name ContosoKeyVaultHSM --file KEKforBYOK.publickey.pem
 ```
 
-Transfer the KEKforBYOK.publickey.pem file to your offline workstation. You will need this file during next step.
+Transfer the KEKforBYOK.publickey.pem file to your offline computer. You will need this file in the next step.
 
 ### Step 3: Generate and prepare your key for transfer
 
-Please refer to your HSM vendor's documentation to download and install the BYOK tool. Follow instruction from your HSM vendor to generate a target key and then create a Key Transfer Package (a BYOK file). The BYOK tool will use the key identifier from [Step 1](#step-1-generate-a-kek) and KEKforBYOK.publickey.pem file you downloaded in [Step 2](#step-2-download-kek-public-key) to generate an encrypted target key in a BYOK file.
+Refer to your HSM vendor's documentation to download and install the BYOK tool. Follow instructions from your HSM vendor to generate a target key, and then create a key transfer package (a BYOK file). The BYOK tool will use the `kid` from [Step 1](#step-1-generate-a-kek) and the KEKforBYOK.publickey.pem file you downloaded in [Step 2](#step-2-download-the-kek-public-key) to generate an encrypted target key in a BYOK file.
 
-Transfer the BYOK file to your connected workstation.
+Transfer the BYOK file to your connected computer.
 
 > [!NOTE] 
-> Target key must be an RSA key of size 2048-bit or 3072-bit or 4096-bit. Importing Elliptic Curve keys is not supported at this time.
-> <br/><strong>Known issue:</strong> Importing RSA 4K target key from SafeNet Luna HSMs fails. When the issue is resolved this document will be updated.
+> Importing RSA 1,024-bit keys is not supported. Currently, importing an Elliptic Curve (EC) key is not supported.
+> 
+> **Known issue**: Importing an RSA 4K target key from SafeNet Luna HSMs fails. When the issue is resolved, this article will be updated.
 
 ### Step 4: Transfer your key to Azure Key Vault
 
-For this final step, transfer the Key Transfer Package (a BYOK file) from your disconnected workstation to the Internet-connected workstation and then use the [az keyvault key import](/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-import) command to upload the BYOK file the Azure Key Vault HSM, to complete the key import.
+To complete the key import, transfer the key transfer package (a BYOK file) from your disconnected computer to the internet-connected computer. Use the [az keyvault key import](/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-import) command to upload the BYOK file to the Key Vault HSM.
 
 ```azurecli
 az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
 ```
 
-If the upload is successful, you see displayed the properties of the key that you just imported.
+If the upload is successful, Azure CLI displays the properties of the imported key.
 
 ## Next steps
 
-You can now use this HSM-protected key in your key vault. For more information, see this price and feature [comparison](https://azure.microsoft.com/pricing/details/key-vault/).
+You can now use this HSM-protected key in your key vault. For more information, see [this price and feature comparison](https://azure.microsoft.com/pricing/details/key-vault/).
+
+
+
