Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

Azure Resources

Managing Azure Secrets

search

Managing Azure Secrets

This section describes how to manage Azure Secrets on CCKM. Before proceeding, you must have an Azure key vault added to the CCKM. Refer to Managing Azure Vaults for details.

Adding Azure Secrets

To add an Azure Secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The Add Secret wizard is displayed.

  4. Enter Secret Name.

  5. Enter Secret Value.

  6. Select the desired Vault from the drop-down list.

  7. Enter Content Type.

  8. (Optional) Set the secret activation and expiration dates.

    • Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the secret.

    • Select the Set Expiration Date check box and from the on-screen calendar, select the secret expiration date and time.

  9. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

      • CCKM allows the following characters in tag values:

        • Alphanumeric characters

        • Special characters ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , ; . ' " _

      • CCKM does not allow the colon (:) in tag values.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  10. Click Save.

Viewing Azure Secrets

Search for Azure Secrets by Secret Name, Secret Vault, or Tags.

CCKM does not allow searching for secrets:

  • By tag values using colon (:)

  • By "secret:value" pair using these characters:

    \ , : " %

To view an Azure secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed. The Azure Secrets tab displays the following details:

    Field Description
    Secret Name Unique, user-friendly alias of the secret. This is useful in searching for specific secrets.
    Version ID Current version of the secret. Click the expand icon (expand icon) corresponding to a secret to view its versions.
    Status State of the secret. The status can be:
    • Available
    • Soft Deleted
    • Deleted
    Cloud Name of the cloud.
    Creation Date Time when the secret is created.
    Expiry Date Time when the secret is created.
    Key Vault Name of the Azure key vault.
    Region Azure region where the secret is created. Click the filter icon (filter) to view the list of supported Azure regions.

Sometimes, you might notice certain secrets are displayed as grayed out. This happens when the secrets are no longer accessible. For example, when:

  • Any cloud permissions on the secrets are changed. The secrets are no longer accessible from the Azure connection.

  • Connection is changed in KMS. The new connection does not have permissions to access the secrets.

Editing Azure Secrets

To view or edit an Azure secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed.

  4. Click the overflow icon (ellipsis) corresponding to the desired alias and click View/Edit.

  5. Configure the SECRET SCHEDULES. Refer to SECRET SCHEDULES for details.

SECRET SCHEDULES

To configure secret schedules:

  1. In the KEY SCHEDULES section, select/enter the following details:

    • From the Select Rotation Schedule drop-down list, select a rotation schedule.

    • In the Rotation Settings section, select/enter the following details:

      1. Key Origin: Select the key origin from the available options. The key origin can be CipherTrust, Native (Azure), Luna, or DSM.

      2. (Applicable to Luna key origin) Select Partition: Select the Luna HSM partition.

      3. Key Type: Select the key type. Key types differ based on the key origin.

        • For CipherTrust, Luna, and DSM, the supported key types are RSA and RSA-HSM.

        • For Native (Azure), the supported key types are RSA, EC, RSA-HSM, and EC-HSM.

      4. Select the Key Size or Elliptical Curve Name depending on the selected Key Type.

        • If the key type is RSA or RSA-HSM, select Key Size. The available options are 2048, 3072, and 4096.

        • If the key origin is Native (Azure) and key type is EC or EC-HSM, select Elliptical Curve Name. The available options are P-56, P-384, P-521, and SECP256K1.

      5. Select Enabled if you want to enable the rotated key.

  2. Click Update.

A message Key schedule updated successfully is displayed on the screen.

Refreshing Azure Secrets

Refreshing is the process of downloading secrets created on the AWS KMS to CCKM. You can refresh secrets from all KMS accounts at once.

To refresh secrets:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed.

  4. Click Refresh All. The This may take a while... message is displayed.

    Note

    Refresh all Azure Secrets is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?

  5. Click Refresh All to continue.

A message Refresh started... is displayed on the screen. The refreshed secrets are listed on the Cloud Keys > Azure > Secrets (tab) page.

To cancel the refresh.

  1. Click Cancel Refresh. The Cancel All Refreshes? message is displayed, please read the message.

  2. Click Cancel All Refreshes.

A message Refresh cancelled successfully is displayed on the screen.

Rotating Secrets (Add Version)

To rotate Azure Secrets, CCKM Users require Add Secret and Upload Secret permissions.

To rotate a secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed.

  4. Click the overflow icon (ellipsis) corresponding to the desired alias and click Rotate Now (Add Version). The Add New Version screen is displayed.

  5. Enter Secret Value.

  6. Select the desired Vault from the drop-down list.

  7. Enter Content Type.

  8. (Optional) Set the secret activation and expiration dates.

    • Select the Set Activation Date check box and from the on-screen calendar, select the date and time to activate the secret.

    • Select the Set Expiration Date check box and from the on-screen calendar, select the secret expiration date and time.

  9. (Optional) Enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value.

    To add a tag:

    1. Specify a tag name.

    2. Specify the tag value.

      • CCKM allows the following characters in tag values:

        • Alphanumeric characters

        • Special characters ! @ # $ % ) ( { } > < ? + - / \ [ ] ^ & + = | ~ ` , ; . ' " _

      • CCKM does not allow the colon (:) in tag values.

    3. Click the + button.

    Similarly, you can add more tags. To remove a tag, click the close (X) icon in the tag name.

  10. Click Save.

A message Secret successfully rotated is displayed on the screen. Navigate to Cloud Keys > Azure > View/Edit > Versions to view the versions of the rotated Azure secret.

Soft-Deleting Azure Secrets

Soft deleting is the process of deleting Azure secrets from the Azure vaults and CCKM. These secrets still exist on CCKM and in the Azure vaults. The soft-deleted secrets can be recovered.

This operation can be performed only on the Azure secrets residing in the soft-enabled key vaults.

To soft-delete an Azure secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed.

  4. Click the overflow icon (ellipsis) corresponding to the desired alias and click Soft Delete. The Confirm Soft Delete dialog box is displayed.

  5. Click Soft Delete.

A message Secret <secret name> soft-deleted is displayed on the screen. The status of the secret changes to SOFT-DELETED.

Recovering Soft-Deleted Azure Secrets

If needed, you can recover a soft-deleted secret.

To recover a soft-deleted Azure secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed.

  4. Click the overflow icon (ellipsis) corresponding to the desired alias and click Recover. The Confirm Recover Secret dialog box is displayed.

  5. Click Recover.

A message Secret <secret name> recovered from soft-delete. is displayed on the screen. The status of the secret changes to AVAILABLE.

Purging Azure Secrets

Purging is the process of permanently deleting soft-deleted Azure secrets from the Azure vaults. However, backup of the purged secret can be restored on CCKM. If you wish to restore backup of the purged secret, follow the steps mentioned in the Restoring Backup section.

This operation can be performed only on the soft-deleted Azure secrets residing in the soft-enabled key vaults.

To purge an Azure secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed.

  4. Click the overflow icon (ellipsis) corresponding to the desired alias and click Purge. The Purge Azure secret dialog box is displayed.

  5. Select the I wish to purge this secret. check box.

  6. Click Purge Secret.

Purging a secret might take some time. After successful deletion, a message Secret <secret name> hard deleted is displayed on the screen. The status of the secret changes to DELETED.

If needed, you can restore a purged secret from its backup. Refer to Restoring Backup for details.

Restoring Backup

To restore a purged Azure secret:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Cloud Keys > Azure.

  3. Click the Secrets tab. The list of available Azure secrets is displayed.

  4. Click the overflow icon (ellipsis) corresponding to the desired alias and click Restore. The Confirm Restore secret dialog box is displayed.

  5. Select the desired secret vault from the Select Vault drop-down list.

    Restoration of secrets among cross-region vaults is not allowed.

  6. Click Restore Secret.

A message Secret <secret name> restored is displayed on the screen. The secret is restored to the selected key vault. The secret status changes to AVAILABLE.