Skip to main content

Prerequisites

Make sure to adhere to the below prerequisites before continuing with the BYOK procedure:

  • Azure subscription with Key Vault Premium SKU,
  • Azure CLI version 2.1.0 or later,
  • Securosys Primus HSM or Clouds HSM Service with JCE license and JCE API enabled Elliptic Curve (EC) support requires HSM firmware 2.8.21 or newer
  • Securosys Primus Tools v2.2.7 or newer, visit Primus Tools - Prerequisites section for Primus Tools prerequisites.

Primus HSM Configuration

Setting up the Primus HSM hardware or your CloudHSM partition is not described in this guide. Please refer to the corresponding User Guides downloadable from the Securosys Support Portal.

The Securosys Primus HSM or Securosys CloudHSM partition needs the Crypto policy (and User policy) configuration to allow Key Export and Key Extract for the used partition.

note

The CloudHSM partition is preconfigured for Azure BYOK. Ensure the JCE API is included and activated in you subscription. For available service packages and options please consult our website Securosys CloudHSM Service and contact Securosys sales.

Follow the below shown steps to configure the on-premises Primus HSM:

  • Enable Key Export on user/partition level (SO activation required):
SETUP → CONFIGURATION → SECURITY → USER SECURITY → KEY EXPORT
  • Enable Key Extract on user/partition level (SO activation required):
 	SETUP → CONFIGURATION → SECURITY → USER SECURITY → KEY EXTRACT
  • The primus-tools commands require the JCE interface enabled on device and user level (plus license):
  SETUP → CONFIGURATION → SECURITY → DEVICE SECURITY → CRYPTO POLICY → JCE
  SETUP → CONFIGURATION → SECURITY → USER SECURITY → JCE
  • The primus-tools commands require a valid setup password, which can be renewed as follows:
  ROLES → USER → NEW SETUP PASSWORD