Quickstart for Azure External Key Management
This page provide an overview of how to integrate the Azure Managed HSM external key management with a Primus HSM or CloudHSM. For full details, please see the linked sections of the installation guide.
- Prerequisites:
- Prepare an Azure subscription for use with external key management, ensure sufficient permissions.
- Create or use an existing Managed HSM and enable external key management for it.
- Obtain a Securosys HSM and configure it or use a preconfigured CloudHSM Partition.
- Prepare a host on which to deploy the Securosys EKM Proxy for external key management.
- Obtain a publicly signed CA certificate for your proxy host domain name.
- Install the EKM Proxy:
- Configure the EKM Proxy and deploy it.
- Integrate with Azure:
- Obtain the Managed HSM client certificate and common name.
- Update the EKM Proxy with the Managed HSM client certificate and common name.
- Establish a connection between your Managed HSM and EKM Proxy.
- Enable Customer managed keys and create an external RSA or AES key.
When Azure Services performs crypto operations against the External Managed HSM Key, a communication channel is opened between the EKM Proxy and the Managed HSM. The operation is performed in your on-premise Primus HSM or your CloudHSM Partition.