Skip to content

Commit 700b74d

Browse files
Merge pull request #224930 from msmbaldwin/freshness
Updates
2 parents 73f96a9 + b0e5a26 commit 700b74d

File tree

5 files changed

+73
-74
lines changed

5 files changed

+73
-74
lines changed

articles/key-vault/keys/about-keys.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,13 @@ tags: azure-resource-manager
99
ms.service: key-vault
1010
ms.subservice: keys
1111
ms.topic: overview
12-
ms.date: 02/17/2021
12+
ms.date: 01/24/2023
1313
ms.author: mbaldwin
1414
---
1515

1616
# About keys
1717

18-
Azure Key Vault provides two types of resources to store and manage cryptographic keys. Vaults support software-protected and HSM-protected (Hardware Security Module) keys. Managed HSMs only support HSM-protected keys.
18+
Azure Key Vault provides two types of resources to store and manage cryptographic keys. Vaults support software-protected and HSM-protected (Hardware Security Module) keys. Managed HSMs only support HSM-protected keys.
1919

2020
|Resource type|Key protection methods|Data-plane endpoint base URL|
2121
|--|--|--|

articles/key-vault/keys/byok-specification.md

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,12 @@ title: Bring your own key specification - Azure Key Vault | Microsoft Docs
33
description: This document described bring your own key specification.
44
services: key-vault
55
author: mbaldwin
6-
manager: devtiw
76
tags: azure-resource-manager
87

98
ms.service: key-vault
109
ms.subservice: keys
1110
ms.topic: conceptual
12-
ms.date: 02/04/2021
11+
ms.date: 01/24/2023
1312
ms.author: mbaldwin
1413
ms.custom: devx-track-azurepowershell, devx-track-azurecli
1514
---
@@ -20,7 +19,7 @@ This document describes specifications for importing HSM-protected keys from cus
2019

2120
## Scenario
2221

23-
A Key Vault customer would like to securely transfer a key from their on-premises HSM outside Azure, into the HSM backing Azure Key Vault. The process of importing a key generated outside Key Vault is generally referred to as Bring Your Own Key (BYOK).
22+
A Key Vault customer would like to securely transfer a key from their on-premises HSM outside Azure, into the HSM backing Azure Key Vault. The process of importing a key generated outside Key Vault is referred to as Bring Your Own Key (BYOK).
2423

2524
The following are the requirements:
2625
* The key to be transferred never exists outside an HSM in plain text form.
@@ -31,7 +30,7 @@ The following are the requirements:
3130
|Key Name|Key Type|Origin|Description|
3231
|---|---|---|---|
3332
|Key Exchange Key (KEK)|RSA|Azure Key Vault HSM|An HSM backed RSA key pair generated in Azure Key Vault
34-
Wrapping Key|AES|Vendor HSM|An [ephemeral] AES key generated by HSM on-prem
33+
Wrapping Key|AES|Vendor HSM|An [ephemeral] AES key generated by HSM on-premises
3534
Target Key|RSA, EC, AES (Managed HSM only)|Vendor HSM|The key to be transferred to the Azure Key Vault HSM
3635

3736
**Key Exchange Key**: An HSM-backed key that customer generates in the key vault where the BYOK key will be imported. This KEK must have following properties:
@@ -51,20 +50,19 @@ To perform a key transfer, a user performs following steps:
5150

5251
Customers use the BYOK tool and documentation provided by HSM vendor to complete Steps 3. It produces a Key Transfer Blob (a ".byok" file).
5352

54-
5553
## HSM constraints
5654

5755
Existing HSM may apply constraints on key that they manage, including:
5856
* The HSM may need to be configured to allow key wrap-based export
5957
* The target key may need to be marked CKA_EXTRACTABLE for the HSM to allow controlled export
60-
* In some cases, the KEK and wrapping key may need to be marked as CKA_TRUSTED. This allows it to be used to wrap keys in the HSM.
58+
* In some cases, the KEK and wrapping key may need to be marked as CKA_TRUSTED, which allows it to be used to wrap keys in the HSM.
6159

6260
The configuration of source HSM is, generally, outside the scope of this specification. Microsoft expects the HSM vendor to produce documentation accompanying their BYOK tool to include any such configuration steps.
6361

6462
> [!NOTE]
65-
> Steps 1, 2, and 4 described below can be performed using other interfaces such as Azure PowerShell and Azure Portal. They can also be performed programmatically using equivalent functions in Key Vault SDK.
63+
> Several of these steps can be performed using other interfaces such as Azure PowerShell and Azure Portal. They can also be performed programmatically using equivalent functions in Key Vault SDK.
6664
67-
### Step 1: Generate KEK
65+
### Generate KEK
6866

6967
Use the **az keyvault key create** command to create KEK with key operations set to import. Note down the key identifier 'kid' returned from the below command.
7068

@@ -75,15 +73,15 @@ az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import
7573
> [!NOTE]
7674
> Services support different KEK lengths; Azure SQL, for instance, only supports key lengths of [2048 or 3072 bytes](/azure/azure-sql/database/transparent-data-encryption-byok-overview#requirements-for-configuring-customer-managed-tde). Consult the documentation for your service for specifics.
7775
78-
### Step 2: Retrieve the public key of the KEK
76+
### Retrieve the public key of the KEK
7977

8078
Download the public key portion of the KEK and store it into a PEM file.
8179

8280
```azurecli
8381
az keyvault key download --name KEKforBYOK --vault-name ContosoKeyVaultHSM --file KEKforBYOK.publickey.pem
8482
```
8583

86-
### Steps 3: Generate key transfer blob using HSM vendor provided BYOK tool
84+
### Generate key transfer blob using HSM vendor provided BYOK tool
8785

8886
Customer will use HSM Vendor provided BYOK tool to create a key transfer blob (stored as a ".byok" file). KEK public key (as a .pem file) will be one of the inputs to this tool.
8987

@@ -121,16 +119,16 @@ If CKM_RSA_AES_KEY_WRAP_PAD is used, the JSON serialization of the transfer blob
121119

122120
* kid = key identifier of KEK. For Key Vault keys it looks like this: https://ContosoKeyVaultHSM.vault.azure.net/keys/mykek/eba63d27e4e34e028839b53fac905621
123121
* alg = algorithm.
124-
* dir = Direct mode, i.e. the referenced kid is used to directly protect the ciphertext which is an accurate representation of CKM_RSA_AES_KEY_WRAP
122+
* dir = Direct mode, that is, the referenced kid is used to directly protect the ciphertext that is an accurate representation of CKM_RSA_AES_KEY_WRAP
125123
* generator = an informational field that denotes the name and version of BYOK tool and the source HSM manufacturer and model. This information is intended for use in troubleshooting and support.
126124

127125
The JSON blob is stored in a file with a ".byok" extension so that the Azure PowerShell/CLI clients treats it correctly when ‘Add-AzKeyVaultKey’ (PSH) or ‘az keyvault key import’ (CLI) commands are used.
128126

129-
### Step 4: Upload key transfer blob to import HSM-key
127+
### Upload key transfer blob to import HSM-key
130128

131129
Customer will transfer the Key Transfer Blob (".byok" file) to an online workstation and then run a **az keyvault key import** command to import this blob as a new HSM-backed key into Key Vault.
132130

133-
To import an RSA key use this command:
131+
To import an RSA key, use this command:
134132
```azurecli
135133
az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok --ops encrypt decrypt
136134
```

articles/key-vault/keys/hsm-protected-keys-byok.md

Lines changed: 16 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,9 @@ For added assurance when you use Azure Key Vault, you can import or generate a k
2121
Use the information in this article to help you plan for, generate, and transfer your own HSM-protected keys to use with Azure Key Vault.
2222

2323
> [!NOTE]
24-
> This functionality is not available for Azure China 21Vianet.
25-
>
26-
> This import method is available only for [supported HSMs](#supported-hsms).
24+
> This functionality is not available for Azure China 21Vianet.
25+
>
26+
> This import method is available only for [supported HSMs](#supported-hsms).
2727
2828
For more information, and for a tutorial to get started using Key Vault (including how to create a key vault for HSM-protected keys), see [What is Azure Key Vault?](../general/overview.md).
2929

@@ -34,7 +34,7 @@ Here's an overview of the process. Specific steps to complete are described late
3434
* In Key Vault, generate a key (referred to as a *Key Exchange Key* (KEK)). The KEK must be an RSA-HSM key that has only the `import` key operation. Only Key Vault Premium and Managed HSM support RSA-HSM keys.
3535
* Download the KEK public key as a .pem file.
3636
* Transfer the KEK public key to an offline computer that is connected to an on-premises HSM.
37-
* In the offline computer, use the BYOK tool provided by your HSM vendor to create a BYOK file.
37+
* In the offline computer, use the BYOK tool provided by your HSM vendor to create a BYOK file.
3838
* The target key is encrypted with a KEK, which stays encrypted until it is transferred to the Key Vault HSM. Only the encrypted version of your key leaves the on-premises HSM.
3939
* A KEK that's generated inside a Key Vault HSM is not exportable. HSMs enforce the rule that no clear version of a KEK exists outside a Key Vault HSM.
4040
* The KEK must be in the same key vault where the target key will be imported.
@@ -82,12 +82,12 @@ The following table lists prerequisites for using BYOK in Azure Key Vault:
8282

8383
To generate and transfer your key to a Key Vault Premium or Managed HSM:
8484

85-
* [Step 1: Generate a KEK](#step-1-generate-a-kek)
86-
* [Step 2: Download the KEK public key](#step-2-download-the-kek-public-key)
87-
* [Step 3: Generate and prepare your key for transfer](#step-3-generate-and-prepare-your-key-for-transfer)
88-
* [Step 4: Transfer your key to Azure Key Vault](#step-4-transfer-your-key-to-azure-key-vault)
85+
* [Step 1: Generate a KEK](#generate-a-kek)
86+
* [Step 2: Download the KEK public key](#download-the-kek-public-key)
87+
* [Step 3: Generate and prepare your key for transfer](#generate-and-prepare-your-key-for-transfer)
88+
* [Step 4: Transfer your key to Azure Key Vault](#transfer-your-key-to-azure-key-vault)
8989

90-
### Step 1: Generate a KEK
90+
### Generate a KEK
9191

9292
A KEK is an RSA key that's generated in a Key Vault Premium or Managed HSM. The KEK is used to encrypt the key you want to import (the *target* key).
9393

@@ -99,7 +99,7 @@ The KEK must be:
9999
> [!NOTE]
100100
> The KEK must have 'import' as the only allowed key operation. 'import' is mutually exclusive with all other key operations.
101101
102-
Use the [az keyvault key create](/cli/azure/keyvault/key#az-keyvault-key-create) command to create a KEK that has key operations set to `import`. Record the key identifier (`kid`) that's returned from the following command. (You will use the `kid` value in [Step 3](#step-3-generate-and-prepare-your-key-for-transfer).)
102+
Use the [az keyvault key create](/cli/azure/keyvault/key#az-keyvault-key-create) command to create a KEK that has key operations set to `import`. Record the key identifier (`kid`) that's returned from the following command. (You will use the `kid` value in [Step 3](#generate-and-prepare-your-key-for-transfer).)
103103

104104
```azurecli
105105
az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name ContosoKeyVaultHSM
@@ -110,7 +110,7 @@ or for Managed HSM
110110
az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --hsm-name ContosoKeyVaultHSM
111111
```
112112

113-
### Step 2: Download the KEK public key
113+
### Download the KEK public key
114114

115115
Use [az keyvault key download](/cli/azure/keyvault/key#az-keyvault-key-download) to download the KEK public key to a .pem file. The target key you import is encrypted by using the KEK public key.
116116

@@ -126,9 +126,9 @@ az keyvault key download --name KEKforBYOK --hsm-name ContosoKeyVaultHSM --file
126126

127127
Transfer the KEKforBYOK.publickey.pem file to your offline computer. You will need this file in the next step.
128128

129-
### Step 3: Generate and prepare your key for transfer
129+
### Generate and prepare your key for transfer
130130

131-
Refer to your HSM vendor's documentation to download and install the BYOK tool. Follow instructions from your HSM vendor to generate a target key, and then create a key transfer package (a BYOK file). The BYOK tool will use the `kid` from [Step 1](#step-1-generate-a-kek) and the KEKforBYOK.publickey.pem file you downloaded in [Step 2](#step-2-download-the-kek-public-key) to generate an encrypted target key in a BYOK file.
131+
Refer to your HSM vendor's documentation to download and install the BYOK tool. Follow instructions from your HSM vendor to generate a target key, and then create a key transfer package (a BYOK file). The BYOK tool will use the `kid` from [Step 1](#generate-a-kek) and the KEKforBYOK.publickey.pem file you downloaded in [Step 2](#download-the-kek-public-key) to generate an encrypted target key in a BYOK file.
132132

133133
Transfer the BYOK file to your connected computer.
134134

@@ -137,14 +137,16 @@ Transfer the BYOK file to your connected computer.
137137
>
138138
> **Known issue**: Importing an RSA 4K target key from Luna HSMs is only supported with firmware 7.4.0 or newer.
139139
140-
### Step 4: Transfer your key to Azure Key Vault
140+
### Transfer your key to Azure Key Vault
141141

142142
To complete the key import, transfer the key transfer package (a BYOK file) from your disconnected computer to the internet-connected computer. Use the [az keyvault key import](/cli/azure/keyvault/key#az-keyvault-key-import) command to upload the BYOK file to the Key Vault HSM.
143143

144144
To import an RSA key use following command. Parameter --kty is optional and defaults to 'RSA-HSM'.
145+
145146
```azurecli
146147
az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
147148
```
149+
148150
or for Managed HSM
149151

150152
```azurecli

0 commit comments

Comments
 (0)