How to protect, backup, audit and synchronize your private encryption keys stored in an Azure Key Vault (Software or HSM)

Thanks to the Thales CipherTrust Cloud Key Manager (CCKM) solution, we can now have control over the private encryption keys used in Azure and Office 365 stored in Azure Key Vault. The CCKM solution allows you to manage the life cycle of private keys.

Private keys are stored in a Vormetric DSM (On-premises Hardware, Cloud and On-premises Software) digital safe

The Thales CCKM appliance is deployed either on site or as a cloud service.

Here is the schematic diagram:

To do this, we create a Security Blade per cloud service (Tenant Azure, Azure Gov, Salesforce, AWS) and access the associated console:

The configuration of the link with Azure is done through an “Enterprise Application” that allows the appliance to communicate with Azure.

Then we can synchronize all the keys already present in Azure directly in the DSM safe:

We can then generate a key from our DSM safe and export it directly to Azure:

We can also manage key versions directly from the CCKM interface and set up an automatic rotation policy for encryption keys that are then directly exported to Azure Key Vault.

The revocation function is directly available from CCKM.

The report function allows you to audit the use of keys and their life cycle, and which applications in the Cloud (here Azure) will use these keys:

Here we can see that it is the storage blob application and the associated account that consumed the keys to encrypt data:

In summary, with Thales CipherTrust Cloud Key Manager and Azure’s Logs Analytics and Key Vault services, we can consume different Microsoft Iaas and SaaS services while having control and audit of the encryption keys used to secure these cloud services.

Note that CCKM also supports other cloud services such as Salesforce or Amazon Web Services.

Feel free to contact us if you would like more information or a demonstration of these technologies.

Author : Thibaud Merlin