Skip to content

Commit ef1df71

Browse files
msmbaldwinmsmbaldwin
committed
Updates
1 parent 998801f commit ef1df71

File tree

1 file changed

+49
-31
lines changed

1 file changed

+49
-31
lines changed

articles/key-vault/keys/hsm-protected-keys-byok.md

Lines changed: 49 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,6 @@ The following table lists prerequisites for using BYOK in Azure Key Vault:
6767
|Utimaco|Manufacturer,<br/>HSM as a service|u.trust Anchor, CryptoServer| Utimaco BYOK tool and Integration guide |
6868
||||
6969

70-
7170
## Supported key types
7271

7372
|Key name|Key type|Key size/curve|Origin|Description|
@@ -101,51 +100,62 @@ The KEK must be:
101100
102101
Use the [az keyvault key create](/cli/azure/keyvault/key#az-keyvault-key-create) command to create a KEK that has key operations set to `import`. Record the key identifier (`kid`) that's returned from the following command. (You will use the `kid` value in [Step 3](#generate-and-prepare-your-key-for-transfer).)
103102

103+
### [Azure CLI](#tab/azure-cli)
104+
104105
```azurecli
105106
az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --vault-name ContosoKeyVaultHSM
106107
```
107-
or in PowerShell
108108

109-
```azurepowershell
110-
Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -Name 'KEKforBYOK' -Destination 'HSM' -Size 4096 -KeyOps 'import'
111-
```
112-
113-
or for Managed HSM
109+
For Managed HSM:
114110

115111
```azurecli
116112
az keyvault key create --kty RSA-HSM --size 4096 --name KEKforBYOK --ops import --hsm-name ContosoKeyVaultHSM
117113
```
118-
or in PowerShell for Managed HSM
114+
115+
### [Azure PowerShell](#tab/azure-powershell)
116+
117+
```azurepowershell
118+
Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -Name 'KEKforBYOK' -Destination 'HSM' -Size 4096 -KeyOps 'import'
119+
```
120+
121+
For Managed HSM:
119122

120123
```azurepowershell
121124
Add-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -Name 'KEKforBYOK' -Destination 'HSM' -Size 4096 -KeyOps 'import'
122125
```
123126

127+
---
128+
124129
### Download the KEK public key
125130

126131
Use [az keyvault key download](/cli/azure/keyvault/key#az-keyvault-key-download) to download the KEK public key to a .pem file. The target key you import is encrypted by using the KEK public key.
127132

133+
### [Azure CLI](#tab/azure-cli)
134+
128135
```azurecli
129136
az keyvault key download --name KEKforBYOK --vault-name ContosoKeyVaultHSM --file KEKforBYOK.publickey.pem
130137
```
131-
or in PowerShell
132-
133-
```azurepowershell
134-
Get-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'KEKforBYOK' -OutFile 'KEKforBYOK.publickey.pem'
135-
```
136138

137-
or for Managed HSM
139+
For Managed HSM:
138140

139141
```azurecli
140142
az keyvault key download --name KEKforBYOK --hsm-name ContosoKeyVaultHSM --file KEKforBYOK.publickey.pem
141143
```
142144

143-
or in PowerShell for Managed HSM
145+
### [Azure PowerShell](#tab/azure-powershell)
146+
147+
```azurepowershell
148+
Get-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'KEKforBYOK' -OutFile 'KEKforBYOK.publickey.pem'
149+
```
150+
151+
For Managed HSM
144152

145153
```azurepowershell
146154
Get-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -KeyName 'KEKforBYOK' -OutFile 'KEKforBYOK.publickey.pem'
147155
```
148156

157+
---
158+
149159
Transfer the KEKforBYOK.publickey.pem file to your offline computer. You will need this file in the next step.
150160

151161
### Generate and prepare your key for transfer
@@ -154,9 +164,9 @@ Refer to your HSM vendor's documentation to download and install the BYOK tool.
154164

155165
Transfer the BYOK file to your connected computer.
156166

157-
> [!NOTE]
167+
> [!NOTE]
158168
> Importing RSA 1,024-bit keys is not supported. Importing Elliptic Curve key with curve P-256K is not supported.
159-
>
169+
>
160170
> **Known issue**: Importing an RSA 4K target key from Luna HSMs is only supported with firmware 7.4.0 or newer.
161171
162172
### Transfer your key to Azure Key Vault
@@ -165,51 +175,59 @@ To complete the key import, transfer the key transfer package (a BYOK file) from
165175

166176
To import an RSA key use following command. Parameter --kty is optional and defaults to 'RSA-HSM'.
167177

178+
### [Azure CLI](#tab/azure-cli)
179+
168180
```azurecli
169181
az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
170182
```
171183

172-
or in PowerShell
184+
For Managed HSM
173185

174-
```azurepowershell
175-
Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
186+
```azurecli
187+
az keyvault key import --hsm-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
176188
```
177189

178-
or for Managed HSM
190+
### [Azure PowerShell](#tab/azure-powershell)
179191

180-
```azurecli
181-
az keyvault key import --hsm-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
192+
```azurepowershell
193+
Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
182194
```
183-
or in PowerShell for Managed HSM
195+
For Managed HSM
184196

185197
```azurepowershell
186198
Add-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
187199
```
188200

201+
---
202+
189203
To import an EC key, you must specify key type and the curve name.
190204

205+
### [Azure CLI](#tab/azure-cli)
206+
191207
```azurecli
192208
az keyvault key import --vault-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --kty EC-HSM --curve-name "P-256" --byok-file KeyTransferPackage-ContosoFirstHSMkey.byok
193209
```
194210

195-
or in PowerShell
211+
For Managed HSM
196212

197-
```azurepowershell
198-
Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyType EC -CurveName P-256 -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
213+
```azurecli
214+
az keyvault key import --hsm-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file --kty EC-HSM --curve-name "P-256" KeyTransferPackage-ContosoFirstHSMkey.byok
199215
```
200216

201-
or for Managed HSM
217+
### [Azure PowerShell](#tab/azure-powershell)
202218

203-
```azurecli
204-
az keyvault key import --hsm-name ContosoKeyVaultHSM --name ContosoFirstHSMkey --byok-file --kty EC-HSM --curve-name "P-256" KeyTransferPackage-ContosoFirstHSMkey.byok
219+
```azurepowershell
220+
Add-AzKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyType EC -CurveName P-256 -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
205221
```
206222

207-
or in PowerShell for Managed HSM
223+
For Managed HSM
208224

209225
```azurepowershell
210226
Add-AzKeyVaultKey -HsmName 'ContosoKeyVaultHSM' -KeyName 'ContosoFirstHSMkey' -KeyType EC -CurveName P-256 -KeyFilePath 'KeyTransferPackage-ContosoFirstHSMkey.byok'
211227
```
212228

229+
---
230+
213231
If the upload is successful, Azure CLI displays the properties of the imported key.
214232

215233
## Next steps

0 commit comments

Comments
 (0)