Bring Your Own Key for Microsoft Azure Key Vault and Entrust KeyControl

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology alliance partners.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

Introduction
Procedures

Introduction

This document describes the integration of Microsoft Azure Key Vault Bring Your Own Key (referred to as Azure BYOK in this guide) with the Entrust KeyControl Key Management Solution (KMS).

Documents to read first

This guide describes how to configure the Entrust KeyControl server as a KMS in Azure BYOK.

Note	Entrust KeyControl v5.5 supports BYOK as an add-on. You can request a free trial of Entrust KeyControl BYOK here: https://go.entrust.com/keycontrol-byok-30-day-free-trial .

To install and configure the Entrust KeyControl server see KeyControl Installation and Upgrade Guide .

Also refer to the documentation and set-up process for Microsoft Azure BYOK in the Microsoft Azure Key Vault online documentation .

Product configurations

Entrust has successfully tested the integration of KeyControl with Azure BYOK in the following configurations:

System	Version
Entrust KeyControl	5.5

Features tested

Entrust has successfully tested the following features:

Feature	Tested
Create cloud key	✓
Delete cloud key	✓
Remove cloud key	✓
Cancel cloud key deletion	✓
Cloud key rotation	✓

Procedures

Follow these steps to install and configure KeyControl with VSP.

Install and configure Entrust KeyControl
Create and configure an Azure Key Vault application
Register the Azure Key Vault application
Create an Azure client secret
Set Azure Key Vault permissions for BYOK
Create an Azure CSP account
Create a key set in KeyControl
Create a cloud key in KeyControl
Create a cloud key in Azure Key Vault
Remove a cloud key in KeyControl
Delete a cloud key in KeyControl
Cancel a cloud key deletion in KeyControl
Rotate a cloud key in KeyControl

Install and configure Entrust KeyControl

Follow the installation and set-up instructions in KeyControl Installation and Upgrade Guide .

Once KeyControl is set up, you can continue with the integration.

Create and configure an Azure Key Vault application

To create and configure an Azure Key Vault application:

Create an Azure Key Vault application. For example:
Set the permissions for the BYOK service application. To do, this, open the Access Policies and select All in Key Permissions , Secrets Permissions , and Certificate Permissions . For example:
Select Home > Subscriptions and then select your subscription.
In Access control (IAM) , select the Role assignments tab.
Select the Reader role.

Note
The Owner permission of the subscription is required to perform this operation. For example:

See the following link for additional information Creating a service principal .

Register the Azure Key Vault application

To register the Azure Key Vault application:

Navigate to Azure Active Directory > App Registrations .
Select New registration .

The Register an application page appears.
Create the BYOK service application with the following parameters:
- For Name , enter azurebyokkeycontrol .
- For Supported account types , select Accounts in this organizational directory only (Entrust only - Single tenant) .
  
  For example:
Select Register .
Navigate to Azure Active Directory > App Registrations > azurebyokkeycontrol > API permissions .
Select Add a permission and add the following permissions:
1. For Azure Key Vault , select Delegated permissions and select user-impersonation . For example:
2. For Azure Service Management , select Delegate permissions and select user-impersonation .
3. For Microsoft Graph , select Delegate permissions and select both User.Read and Application.ReadWrite.All .
Select Add permissions .

The permissions update. For example:

See the following link for additional information Creating a service application in Azure Portal .

Create an Azure client secret

To create an Azure client secret:

Navigate to Home > Azure Active Directory > App registrations > azurebyokkeycontrol > Certificates & secrets .
Select New client secret .
Add the Description and the date on which the secret Expires . The recommended period is 24 months. For example:

Note
You must update the secret key in KeyControl before the expiration date to ensure uninterrupted access to Azure Key vaults.
Copy the Value of the new client secret.

Note
This value appears in Azure Portal only temporarily. When the portal hides the client secret, it cannot be retrieved and a new secret will need to be created.

See the following link for additional information Creating a client secret in Azure Active Directory .

Set Azure Key Vault permissions for BYOK

To set Azure Key Vault permissions for BYOK:

Navigate to Home > Key vault > azure-byok-keycontrol > Access policies .
Select Add access policy .

The Add access policy dialog appears.
In the Add access policy dialog:
1. For Key permissions , select All .
2. For Secret permissions , select All .
3. For Certificate permissions , select All .
4. For Select principal , add azurebyokkeycontrol .
For example:
Select Add .

The permissions update. For example:

See the following link for additional information Set permission for the BYOK service by configuring each Azure Key Vault .

Create an Azure CSP account

To create an Azure CSP account:

Navigate to Home > Azure Active Directory > App registrations > azurebyokkeycontrol .
Save the following:
- Application (client) ID
- Directory (tenant) ID
Select Home > Subscriptions and then select your subscription.
Save the following:
- Subscription ID

See the following link for additional information Creating a CSP account in Azure .

Create a key set in KeyControl

To create a key set in KeyControl:

In KeyControl, select BYOK on the main toolbar.
Select the Key Sets tab.
Select Actions > Create Key Set .

The Create Key Set dialog appears.
Enter a Name and Description for the key set. For example:
Select Continue .
Select the CSP Account tab.
If no accounts exist, select Add CSP Account .

The Add CSP Account dialog appears.
In the Details tab, enter the information saved during the Create an Azure CSP account process. For example:
Select Apply .
In the CSP Account tab, select the new CSP account. For example:
Select Continue .
In the HSM tab, check if an HSM is configured. For example:

If no HSM is configured, configure one before enabling it in this dialog.
Select Continue .
In the Schedule tab, select a Rotation Schedule matching the selection made during Create an Azure client secret . For example:
Select Apply .

The key set is added. For example:
Verify the Azure Key Vault setting Accessible is set to Yes . For example:

For additional information, see Creating a Key Set .

Create a cloud key in KeyControl

To create a cloud key:

In KeyControl, select BYOK on the toolbar.
Select the CloudKeys tab.
Select the Key Set and Key Vault . For example:
Select Actions > Create CloudKey .

The Create CloudKey dialog appears.
In the Details tab, enter the Name and Description . For example:
Select Continue .
In the Access tab, select the required Cipher . For example:
Select Continue .
In the Schedule tab:
1. Select a Rotation Schedule .
2. Set an Activation Date .
3. Set Expiration .
For example:
Select Continue .

The cloud key is created.
Verify the cloud key is visible in Azure key vault.

See the following link for additional information Creating a CloudKey .

Create a cloud key in Azure Key Vault

To create a cloud key in Azure Key Vault:

Navigate to Home > Key vaults > azure-byok-keycontrol > Keys > Generate/Import .

The Create a key dialog appears.
Enter the Name and select all that applies. For example:
Select Create .

The cloud key is created.
Verify the newly created key. For example:

Import the cloud key in KeyControl:

Select BYOK on the toolbar.
Select the Key Sets tab and select azurebyokkeycontrol .
Select Actions > Import CloudKey .

The Import Cloud Keys dialog appears.
Select a Key Vault . For example:
Select Import .

The key is imported.
Select the CloudKeys tab and select Refresh .
Verify the imported key. For example:

Remove a cloud key in KeyControl

To remove a cloud key in KeyControl:

In KeyControl, select BYOK on the main toolbar.
Select the CloudKeys tab.
Select the key to the removed. For example, azurebyokkeycontrol-createdInKeyControl .
Select Actions > Remove from Cloud .

The Remove from Cloud dialog appears.
Type the name of the key in Type CloudKey Name . For example:
Select Remove .

The cloud key is removed from KeyControl. Its Cloud Status becomes NOT AVAILABLE . For example:
Verify the key is gone in Azure. For example:

For additional information, see Removing a CloudKey from the Cloud .

Delete a cloud key in KeyControl

To delete a cloud key in KeyControl:

In KeyControl, select BYOK on the toolbar.
Select the CloudKeys tab.
Select the key to the removed. For example, azurebyokkeycontrol-createdInKeyControl .
Select Actions > Delete CloudKey .

The Delete CloudKey dialog appears.
Select a time in Define when the CloudKey should be permanently deleted . For example:
Select Delete .

The cloud key is deleted from KeyControl. The Cloud Status becomes PENDING DELETE . For example:
Verify the key is gone in Azure. For example:

For additional information, see Deleting a CloudKey .

Cancel a cloud key deletion in KeyControl

To cancel a cloud key deletion in KeyControl:

In KeyControl, select BYOK on the toolbar.
Select the CloudKeys tab.
Select the key for which you want to cancel a deletion. For example, azurebyokkeycontrol-createdInAzure .
Select Actions > Cancel Deletion .

The Cancel Deletion dialog appears. For example:
Select Cancel Delete .

The deletion is cancelled.
Verify the status change in KeyControl. For example:
Verify the key is now available in Azure. For example:

For additional information, see Canceling a CloudKey Deletion .

Rotate a cloud key in KeyControl

To rotate a cloud key in KeyControl:

In KeyControl, select BYOK on the toolbar.
Select the CloudKeys tab.
Select the key you want to rotate. Then, scroll down until you see the Rotate Now control. For example:
Select Rotate Now .

The key is rotated.
In Azure, navigate to Home > Key vaults > azure-byok-keycontrol > Keys > Key Name .
Verify that the key has been rotated. For example:

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
Bring Your Own Key for Microsoft Azure Key Vault and Entrust KeyControl Integration Guide

Table of Contents