Who can use this feature?
Workspace Owners, Super Admins, and Admins
If you are interested in this feature but don't see it available in your workspace, contact our Sales team via email at sales@cerby.com.
With Cerby, you can set up an Azure Key Vault integration for your workspace to use external keys and Azure Key Management Service (KMS) to perform secure encryption and encryption of the accounts and secrets you store in Cerby.
Our cloud encryption scheme already uses AWS KMS for vault key encryption, but you can leverage your existing Entra ID (formerly Azure) environment via a service principal to encrypt your data with your Azure vault key.
The Azure Key Vault integration encrypts a Cerby vault key that then is used to encrypt your data; therefore, without access to the Azure vault key, Cerby cannot decrypt your accounts and secrets. For more information about our encryption schemes, read the article How Cerby protects your data with cloud and local encryption.
With a service principal, which is your app’s identity in the Microsoft Entra tenant, you can restrict access to your resources by the roles assigned to it. Therefore, this integration empowers you with granular access control and precise management over your cryptographic keys, enabling you to meet your compliance requirements and maintain control over your data security in the cloud.
For the setup in Cerby, you must retrieve the following values from Entra ID:
Service Principal
Directory (tenant) ID
Application (client) ID
Client credentials or secret
Key Vault
Vault URI
Key vault name
IMPORTANT: Currently, Cerby supports creating only one cloud vault per provider. Therefore, you can only create one cloud vault with Azure external keys after setting up the Azure Key Vault integration.
This article describes how to set up an Azure Key Vault integration.
Requirements
The following are the requirements to set up an Azure Key Vault integration:
An Entra ID tenant
An active Entra ID account with permissions to create a service principal and on the resource groups, such as User Access Administrator or Role Based Access Control Administrator. For more information, read the Create a Microsoft Entra application and service principal that can access resources official documentation
A registered Azure subscription. For more information, read the Associate or add an Azure subscription to your Microsoft Entra tenant official documentation
A Cerby workspace
A Cerby account with the Workspace Super Admin or Admin role
Set up an Azure Key Vault integration
To set up an Azure Key Vault integration, you must complete the following main steps:
The following sections describe each main step.
1. Create a service principal in Entra ID
To create a service principal in Entra ID, you must complete the following steps:
Log in to the Azure Portal.
Select the Microsoft Entra ID option from the Azure services section or the drop-down menu located at the top left of the page. The Overview page is displayed.
Select the App registrations option from the left navigation drawer. The App registrations page is displayed.
Create a new app by performing the following actions:
Click the New registration button. The Register an application page is displayed.
Enter a name for your app in the Name field.
Click the Register button located at the bottom left of the page. The page closes, and a success message box and the new app are displayed on the App registrations page.
Create a client secret for the new app by performing the following actions:
Click the new app from the list of applications. The Overview page of the app is displayed.
Click the Add a certificate or secret button from the Essentials section. The Certificates & secrets page is displayed with the Client secrets tab activated.
Click the New client secret button. The Add a client secret flyout panel is displayed at the right.
Enter a description for the client secret in the Description field.
Select an expiration time from the Expires drop-down list.
Click the Add button located at the bottom of the pane. The flyout panel closes, and a success message box and the new client secret are displayed.
Copy the value of the client secret because you need it later in the 5. Set up the Azure Key Vault integration in Cerby main step.
Select the Overview option from the left navigation drawer. The Overview page of the app is displayed.
Copy the values of the following fields from the Essentials section because you need them later, in the 5. Set up the Azure Key Vault integration in Cerby main step:
Application (client) ID
Directory (tenant) ID
The next step is 2. Create a key vault in Entra ID.
2. Create a key vault in Entra ID
To create a key vault in Entra ID, you must complete the following steps:
Click the Home button located at the top left of the page.
Click the Create a resource button from the Azure services section or the drop-down menu located at the top left of the page. The Create a resource page is displayed.
Enter key vault in the search box.
Select the Key Vault option. The Key Vault page is displayed.
Click the Create button. The Create a key vault page is displayed.
Enter the information or select the corresponding option in the following fields and drop-down lists:
Subscription
Resource group
IMPORTANT: If you don’t have a resource group, click the Create new button located below the field to open a popup window and create the resource group.
Key vault name
Region
Pricing tier
Soft-delete
Days to retain deleted vaults
Purge protection
Click the Review + create button. The page closes, and a success message box and the new key vault are displayed on the Key vaults page.
Click the new key vault. The Overview page of the key vault is displayed.
Copy the value from the Vault URI field because you need it later in the 5. Set up the Azure Key Vault integration in Cerby main step.
The next step is 3. Generate a key in Entra ID.
3. Generate a key in Entra ID
To generate a key in Entra ID, you must complete the following steps:
Select the Keys option from the left navigation drawer on the details page of your new key vault. The Keys page is displayed.
Click the Generate/Import button. The Create a key page is displayed.
Enter a name for the key in the Name field.
Select the RSA and 4096 options from the Key type and RSA key size fields, respectively.
IMPORTANT: Make sure those options are selected; otherwise, the integration will not work.
Copy the value of the key name because you need them later in the 5. Set up the Azure Key Vault integration in Cerby main step.
Click the Create button located at the bottom left of the page. The page closes, and a success message box and the new key are displayed on the Keys page.
The next step is 4. Grant access to the key vault for the service principal in Entra ID.
4. Grant access to the key vault for the service principal in Entra ID
To grant permissions to the service principal for the key vault in Entra ID, you must complete the following steps:
Select the Access control (IAM) option from the left navigation drawer in the details page of your new key vault. The Access control (IAM) page is displayed.
Click the Add role assignment button from the Grant access to this resource section. The Add role assignment page is displayed with a list of roles.
Select the corresponding role from the list.
IMPORTANT: The role with the least access privilege is Key Vault Crypto User; the role with the highest access is Key Vault Administrator.
Click the Next button. The Members tab is activated.
Click the Select members button. The Select members flyout panel is displayed at the right with a list of members.
Enter the name of the service principal in the search box.
Select the service principal.
Click the Select button. The page closes, and a success message box is displayed.
NOTE: You can confirm the successful role assignment by activating the Role assignments tab. The role you selected is displayed on a list, linked to the service principal.
The next step is 5. Set up the Azure Key Vault integration in Cerby.
5. Set up the Azure Key Vault integration in Cerby
To set up the Azure Key Vault integration in Cerby, you must complete the following steps:
Log in to your workspace using the Cerby web app. The Cerby dashboard is displayed.
Select the Settings option from the left navigation drawer. The Workspace Configuration page is displayed.
Activate the Privacy and Security tab. A table with a list of vaults is displayed on the Vault management section, as shown in Figure 1.
Figure 1. Table with the list of vaults in the Vault management section of the Privacy and security tab
Click the Create new vault button. The Create new vault dialog box is displayed.
Enter the vault name in the Vault name field.
Select the Azure External Keys option from the Strategy drop-down list.
NOTE: Select the Set as default vault option if you want to set the new vault as the default when adding an item to Cerby.
Click the Next button. The Configure the Azure vault dialog box is displayed.
Enter the values you have retrieved from Entra ID in the corresponding fields:
Client ID
Tenant ID
Client Secret
Vault URL
Vault Key Name
Click the Create vault button. The dialog box closes, and a success message box is displayed.
Now you are done.