Azure Managed HSM Services

Task 1: Setting up the Encryption Key and an Application Registration

  1. Go to Azure, Entra ID.

  2. Click App Registrations on the left.

  3. Select New registration.

  4. Name the registration and click Create:

  5. Copy the Directory (tenant) ID and the Application (Client) ID for later.

  6. Click Add a certificate or secret, located next to the client credentials.

  7. Select New Client Secret.

  8. Add a description and an expiration.

    It is incredibly important to then set up procedures to ensure that a new client secret will be created and updated in Secret Server later before this expiration period is reached, to prevent loss of access to your Secret Server instance.

  9. Select Add to save your changes.

  10. Copy the Value. You will not get an opportunity to copy this data again.

  11. Read through and plan via the Azure Managed HSM documentation.

  12. Create your Azure Key Vault Managed HSM and Activate it.

  13. Utilizing a user that has permissions (Local RBAC or IAM, depending on your configuration), go to Settings > Keys.

  14. Click Generate/Import/Restore Backup, and then choose Generate:

  15. Name your key.

  16. Choose key type AES-HSM, and key size 256. No other key type or size will work.

  17. Ensure the operations include wrap key and unwrap key, and create the key.

  18. Copy the key identifier URL field and key name.

  19. Under Settings, go to Local RBAC.

    It is possible to use IAM security. Please read and adjust your permissions as necessary if you use IAM.

  20. Click Add.

  21. For Role, use Managed HSM Crypto User.

  22. For Scope, use single key.

  23. For key name, use the key name of the key you created earlier.

  24. For security principle, select App Registration and secret, and select the app registration you created earlier.

    You will not see the new entry directly on the Local RBAC page. It will display when navigating to the key and clicking Role Assignments:

Task 2: Adding the Encryption Key and Application Registration Details in Secret Server

  1. Log into SSC.

  2. Search for Key Management. The Key Management page appears.

  3. Click the Edit button. The page becomes editable.

  4. From the Key Management Type dropdown list, select Azure Managed HSM.

  5. Type in your Azure Managed HSM Tenant ID value.

  6. Type in your Azure Managed HSM Principal ID (this is the Application/Client ID) value.

  7. Type in your Azure Managed HSM Principal Secret (the secret value of the client secret).

  8. Type in the Azure Managed HSM Key URL that you saved earlier.

  9. Select the checkbox that states Maintenance Mode will be enabled and a Secret Key Rotation will be triggered.

  10. Click the Save button.

Task 3: Secret Key Rotation

Once you save your changes, your new settings are validated and a secret key rotation is triggered. You can now view the progress of the rotation:

  1. Navigate to Settings > Configuration Search > Security > Secret Key Rotation.

  2. Click the Rotate Secret Keys button to perform the operation.

Later, you can repeat the process to change the Managed HSM encryption key or you can select None for the Key Management Type in task 2 to disable it completely.