Creating an Azure type keystore

If your remote key server is Microsoft Azure Key Vault you can create two types of keystore : “AZURE-EAR” to be used by the Storage Space Encryption feature, or “AZURE-BAR” to be used by the Integrated Backup Encryption feature.

The only difference between these credentials is that the AZURE-EAR requires, also, access to the Azure Secrets inside the Key Vault, where the IDS Master Encryption Key is stored.

When asked to create an AZURE keystore, the following information must be readily available to the operator:
  • Azure Vault Url, this is the URL to access your key vault. This value is generated by the Azure system when a new keyvault is created (Home -> All resources -> “Key Vault Name” -> Overview -> DNS Name).
  • Azure Client Id, the usage of this feature requires access to the Active directory infrastructure in Azure,for that you need to create a Web Application under your username and provide the “Application Id” (Active Directory -> Users -> All User -> “User Id” -> Applications -> “Application Name” -> Application Id).
  • Azure Client Secret, When the Web Application is created, you will be provided with both the Application Id and the Application Secret. The application secret cannot be recovered after the application was created.
  • Azure Directory Id, Your KeyVault is created under an Active Directory, you need to provide the Directory Id (Home -> All resources -> “Key Vault Name” -> Overview -> Directory ID).
  • Azure Key Name, this is the name or full id of the Azure Key (Remote Master Encryption Key). This Key never leaves the Azure infrastructure and it is used by onkstore to encrypt the locally generated Master Encryption Key used by the IDS Storage Space Encryption feature. It is also used by the On-Bar/ontape utilities to encrypt the Backup Encryption Keys used by the Integrated Backup Encryption Feature. In Azure, you can provide a simple name for this key (ie “MY_IDS_MEK”) in which case we will use the LATEST key available (Each time the key is rotated a newer Id is available), or, you can specify the Id of the key you want to use (ie “ MY_IDS_MEK/wsdd6405fb584cf9a3c63f6926d2e92e”) in which case we will keep using the same key even if it is rotated.
  • Azure Encrypt Algorithm, when you create the RMEK in Azure Key Vault, it allows you to select among several types of keys and depending on the type of key, you can select different algorithms to encrypt data with it. Select here a valid algorithm name for the type of RMEK you created.
  • Azure Secret Name, The name of the secret where we will store the IDS MEK. This is used only if you create a AZURE-EAR type keystore. If you provide a simple name (ie “ INFORMIX-256BIT”) a new MEK will be generated and stored, the ID of the newly stored key will recorded. If you provide a full ID for the secret (“ INFORMIX-256BIT/ 284ded569a8b40be8e4de2254ddeedd7”), then we will try to retrieve the secret, if not present we will return an error.
To use a JSON file as input for onkstore, create a file with the following structure:
              "Credentials" :        
                "Type" : "...",        
                "Azure Vault Url" : "...",        
                "Azure Client Id" : "...",        
                "Azure Client Secret" : "...",        
                "Azure Directory Id" : "...",
                "Azure Key Name" : "...",
                "Azure Encrypt Algorithm" : "...",
                "Azure Secret Name" : "..."

          where the value for "Type" is either "azure-ear" or "azure-bar".

Copyright© 2020 HCL Technologies Limited