You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/key-vault/managed-hsm/tls-offload-library.md
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,9 +18,9 @@ For more information, see [Azure Managed HSM TLS Offload Library GitHub](https:/
18
18
19
19
The TLS Offload Library internally uses the Azure Key Vault REST API to interact with Azure Managed HSM.
20
20
21
-
## Get Started
21
+
## Get started
22
22
23
-
### PKCS#11Attributes
23
+
### PKCS#11attributes
24
24
25
25
To properly integrate with PKCS#11, generating keys (via C_GenerateKeyPair) and locating key objects (via C_FindObjectsInit/C_FindObjects) requires a solution for storing PKCS#11 attributes on the Azure Key Vault key object. The TLS Offload Library converts these necessary PKCS#11 attributes into Azure Key Vault Tags.
26
26
@@ -35,7 +35,7 @@ Applications that use the TLS Offload Library use one or more PKCS#11 attributes
35
35
> [!WARNING]
36
36
> Keys generated by the TLS Offload Library and their Tags are accessible over Azure Key Vault REST API. Manipulating these P11 Attribute Tags using Azure Key Vault REST API may break the TLS Offload Library applications.
37
37
38
-
### Key Generation
38
+
### Key generation
39
39
40
40
The TLS Offload Library includes a key creation tool, mhsm_p11_create_key. Running the tool without any command line arguments shows the correct usage of the tool.
41
41
@@ -61,7 +61,7 @@ The `--label` argument to the key creation tool specifies the desired CKA_LABEL
61
61
62
62
You need the key name for any role assignment changes via the Azure CLI.
63
63
64
-
### Access Control
64
+
### Access control
65
65
66
66
The TLS Offload Library translates the C_FindObjectsInit into an Azure Key Vault REST API call, which operates at the /keys scope. The MHSM service requires the Read permission at this scope for the TLS Offload Library User to authorize the find operation for the keys created via the key creation tool.
67
67
@@ -91,9 +91,9 @@ The key generation service principal is used with the key creation tool (mhsm_p1
91
91
92
92
#### Azure CLI
93
93
94
-
Azure CLI can be used to perform tasks such as Role Assignment.
94
+
Azure CLI can be used to perform tasks such as role assignment.
95
95
96
-
### Permissive Approach
96
+
### Permissive approach
97
97
98
98
The permissive approach is simpler, and suitable when the Azure Managed HSM is exclusively used for TLS offloading.
99
99
@@ -106,13 +106,13 @@ az keyvault role assignment create --hsm-name ContosoMHSM \
106
106
--scope /keys
107
107
```
108
108
109
-
### Granular Approach
109
+
### Granular approach
110
110
111
111
The granular approach implements fine grained access control. It requires two service principals (TLS Offload service principal and Key Generation service principal) and an Admin User.
112
112
113
113
The objective is to restrict the TLS Offload service principal's permissions to support the minimum required for TLS offload. The user must have the Read permission for other keys to support the library's C_FindObject* function.
114
114
115
-
#### TLS Offload Library User Read Role
115
+
#### TLS Offload Library User Read role
116
116
117
117
The first step in implementing the granular approach is to create a custom role. This operation only needs to be done once.
118
118
@@ -129,11 +129,11 @@ az keyvault role definition create --hsm-name ContosoMHSM --role-definition '{ \
129
129
}'
130
130
```
131
131
132
-
#### Generate Keys
132
+
#### Generate keys
133
133
134
134
Keys can be generated using the Key Generation service principal with the key creation tool (mhsm_p11_create_key).
135
135
136
-
#### Grant Permission
136
+
#### Grant permission
137
137
138
138
The Admin User assigns the following roles to the TLS Offload service principal.
139
139
- Assign "TLS Library User Read Role" role at the "/keys" scope
@@ -153,11 +153,11 @@ az keyvault role assignment create --hsm-name ContosoMHSM \
### How to generate keys using the TLS Offload Library
158
+
### Generate keys
159
159
160
-
The TLS Offload Library includes a key creation tool - mhsm_p11_create_key. Running the tool without any command line arguments shows the correct usage of the tool.
160
+
The TLS Offload Library includes a key creation tool, mhsm_p11_create_key. Running the tool without any command line arguments shows the correct usage of the tool.
161
161
162
162
The key creation tool requires a service principal, which is assigned to the "Managed HSM Crypto User" role at the "/keys" scope.
163
163
@@ -181,7 +181,7 @@ The `--label` argument to the key creation tool specifies the desired CKA_LABEL
181
181
182
182
The key name is required if you're planning to implement granular access to keys.
183
183
184
-
### How to implement keyless TLS
184
+
### Implement keyless TLS
185
185
186
186
There are two approaches to generating a key and using the key for the Key Less TLS: a simpler, more permissive approach, and a granular approach, which offers better security. The approaches differ in implementation effort and security enforcement.
0 commit comments