Configure an Azure Key Vault for Customer Managed Keys

Documentation Experience Platform Experience Platform overview

Last update: Mon Jan 13 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

Topics:
Privacy

CREATED FOR:

Developer

Customer Managed Keys (CMK) support keys from both Microsoft Azure Key Vaults and AWS Key Management Service (KMS). If your implementation is hosted on Azure, follow the steps below to create a Key Vault. For AWS-hosted implementations, refer to the AWS KMS configuration guide.

IMPORTANT

Only the Standard, Premium, and Managed HSM tiers for Azure Key Vault are supported. Azure Dedicated HSM and Azure Payments HSM are not supported. Refer to the for more information on offered key management services.

NOTE

The documentation below only covers the basic steps to create the Key Vault. Outside of this guidance, you should configure the Key Vault as per your organization鈥檚 policies.

The search feature in Microsoft Azure with Key vaults highlighted in the search results.

The Key vaults page appears after selecting the service. From here, select Create.

The Key vaults dashboard in Microsoft Azure with Create highlighted.

Using the provided form, fill in the basic details for the Key Vault, including a name and an assigned resource group.

WARNING

While most options can be left as their default values, make sure that you enable the soft-delete and purge protection options. If you do not turn on these features, you could risk losing access to your data if the Key Vault is deleted.

The Microsoft Azure Create a Key Vault workflow with soft delete and purge protection highlighted.

From here, continue going through the Key Vault creation workflow and configure the different options according to your organization鈥檚 policies.

Once you arrive at the Review + create step, you can review the details of the Key Vault while it goes through validation. Once validation passes, select Create to complete the process.

The Microsoft Azure Key vaults Review and create page with Create highlighted.

Configure access configure-access

Next, enable Azure role-based access control for your key vault. Select Access configuration in the Settings section of the left navigation, then select Azure role-based access control to enable the setting. This step is essential as the CMK App must later be associated with an Azure role. Assigning a role is documented in both the API and UI workflows.

The Microsoft Azure dashboard with Access configuration and Azure role-based access control highlighted.

Configure networking options configure-network-options

If your Key Vault is configured to restrict public access to certain virtual networks or disable public access entirely, you must grant Microsoft a firewall exception.

Select Networking in the left navigation. Under Firewalls and virtual networks, select the checkbox Allow trusted Microsoft services to bypass this firewall, then select Apply.

The Networking tab of Microsoft Azure with Networking and Allow trusted Microsoft surfaces to bypass this firewall exception highlighted.

Generate a key generate-a-key

Once you have created a Key Vault, you can generate a new key. Navigate to the Keys tab and select Generate/Import.

The Keys tab of Azure with Generate import highlighted.

Use the provided form to provide a name for the key, and select either RSA or RSA-HSM for the key type. For Azure-hosted implementations, the RSA key size must be at least 3072 bits as required for Azure Cosmos DB. Azure Data Lake Storage is also compatible with RSA 3027.

NOTE

Remember the name that you provide for the key, as it is required to send the key to 51黑料不打烊.

Use the remaining controls to configure the key you want to generate or import as desired. When finished, select Create.

The Create a key dashboard with 3072 bits highlighted.