Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The fastest way to deploy customer managed keys to be compliant with the Azure Enclave policy requiring CMK is through the Common Dependencies service catalog template.
Several types of encryption are available for securing your data on managed disks and other Azure PaaS services, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host. In accordance with Azure Enclave default governance and cybersecurity posture requires customer-managed-key encryption for all resources deployed in an enclave.
Prerequisites for manual deployment method
- Portal Access from Admin VM (192.168.x.x/26 usually).
- Create community endpoint to Azure portal and Microsoft Azure services.
- A default endpoint can be created within the community that defines access to common Microsoft sites and endpoints. If so you can skip this step.
- Create enclave connection to community endpoint.
- Create community endpoint to Azure portal and Microsoft Azure services.
- You have the
Key Vault Contributorrole on the key vault or workload resource group that contains the key vault.
Steps in this guide
- Create KV RSA 2048 Key or Bring your own key.
- Create Managed Identity with permissions to the KV Key.
Enclave Key Vault
Every enclave is deployed with an Azure Key Vault in the default resource group for enclave infrastructure. Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. By default, enclave contributors should be able to upload keys, secrets, or certificates to the enclave Key Vault and utilize existing Azure capabilities and design patterns of other Azure services to support CMK encryption.
Examples of setting-up CMK encryption are provided in the next steps, with more detailed instructions or articles provided.
Create a Key in a Key Vault
- How-to Azure article - Key creation starts after Step 6
Disk encryption sets (Windows IaaS)
- Read how-to Azure article - starting after KV creation
- Learn more
Azure PaaS example (Storage account)
Create CMK from the Service Catalog (fastest and easiest)
Follow these instructions to create a key vault from the Service Catalog of validated templates for common Azure services.
Create CMK via the Portal
Alternatively, CMK can be created via the Portal
Steps in this guide
Enable Enclave access to the Azure portal
Key vault access is restricted to the KV virtual network so the key vault Key needs to be created from the Azure portal from within the Admin VM.
- Create enclave connection to community endpoint for access to the Azure portal.
Sign in to Admin VM
Follow these Admin VM instructions to sign in.
Update Key Vault from Admin VM
- After Admin VM sign in, open Microsoft Edge (for example, via the Start Menu).
- Navigate to
https://portal.azure.comor the domain specific portal URL.
Create Access Policy from Admin VM
Key vault access is restricted to the KV virtual network so the key vault Key needs to be created from the Azure portal from within the Admin VM.
- From the portal, navigate to the Key Vault and select the
Access Policyon the left side. - Select
Create. - Select the "Configure from a template" dropdown and select
Key Management. - Select
Nextto the Principle tab. - Enter your username in the search bar and select your user account.
- Select
Nextand thenCreate.
Generate Key for CMK in Key Vault
- From the portal, navigate to the Key Vault and select the
Keyson the left side. - Select
Generate/Import. - Enter the name for the new key.
- Select
Create. The default options should create an RSA 2048 key. - Copy the key name you created.
- You can sign out of the Admin VM.
Create a user-assigned managed identity
Create a user-assigned managed identity for the enclave.