Customer-managed keys (CMK) only supports keys from a Microsoft Azure Key Vault. To get started, you must work with Azure to create a new enterprise account, or use an existing enterprise account and follow the steps below to create the Key Vault.
Only the Premium and Standard service tiers for Azure Key Vault are supported. Azure Managed HSM, Azure Dedicated HSM and Azure Payments HSM are not supported. Refer to the Azure documentation for more information on offered key management services.
The documentation below only covers the basic steps to create the Key Vault. Outside of this guidance, you should configure the Key Vault as per your organization’s policies.
Log in to the Azure portal and use the search bar to locate Key vaults under the list of services.
The Key vaults page appears after selecting the service. From here, select Create.
Using the provided form, fill in the basic details for the Key Vault, including a name and an assigned resource group.
While most options can be left as their default values, make sure that you enable the soft-delete and purge protection options. If you do not turn on these features, you could risk losing access to your data if the Key Vault is deleted.
From here, continue going through the Key Vault creation workflow and configure the different options according to your organization’s policies.
Once you arrive at the Review + create step, you can review the details of the Key Vault while it goes through validation. Once validation passes, select Create to complete the process.
Next, enable Azure role-based access control for your key vault. Select Access configuration in the Settings section of the left navigation, then select Azure role-based access control to enable the setting. This step is essential as the CMK App must later be associated with an Azure role. Assigning a role is documented in both the API and UI workflows.
If your Key Vault is configured to restrict public access to certain virtual networks or disable public access entirely, you must grant Microsoft a firewall exception.
Select Networking in the left navigation. Under Firewalls and virtual networks, select the checkbox Allow trusted Microsoft services to bypass this firewall, then select Apply.
Once you have created a Key Vault, you can generate a new key. Navigate to the Keys tab and select Generate/Import.
Use the provided form to provide a name for the key, and select RSA for the key type. At a minimum, the RSA key size must be at least 3072 bits as required by Cosmos DB. Azure Data Lake Storage is also compatible with RSA 3027.
Remember the name that you provide for the key, as it is required to send the key to Adobe.
Use the remaining controls to configure the key you want to generate or import as desired. When finished, select Create.
The configured key appears in the list of keys for the vault.