Files uploaded to Egnyte are encrypted with keys that are unique to each customer. When you want a higher level of control over key management, rotation, and storage of the encryption keys, you can use Microsoft Azure Key Vault to accomplish this.
In this article, we'll show you how to set up Enterprise Key Management with Azure Key Vault. Before you begin, make sure you already have an Azure account created.
If you configure a key to be managed externally, you'll need to be extremely cautious when changing settings or when disabling the key. Accidentally deleting the key or making it unavailable for your Egnyte domain can make it impossible to regain access to your Egnyte data.
Skip Ahead to...
Create an Azure App
For Egnyte to access the encryption key in Azure Key Vault, you need to create an App in Azure. The steps below will walk you through the process.
- Once logged into your Azure account, select Azure Active Directory, then App registrations, and click + New registration.
- Enter the Application Name and click Register.
- You'll be taken back to the App registration page. From here, click on the new application you created.
- Within in the App, you'll need to copy the Application (client) ID and Directory (tenant) ID and input the parameters into the Enterprise Key Management settings of your Egnyte domain.
The Application (client) ID from Azure will be inputted into the Username field in the Enterprise Key Management settings in Egnyte.
Create a Shared Secret Password
- From the App page, open the Certificates & secrets tab and click + New client secret.
- Enter a description for the secret, choose an expiration date, and click Add.
If you choose to have the secret expire, you’ll need to update it in Azure Key Vault and Egnyte at that time. If you do not update the secret, you’ll temporarily lose access to your Egnyte data until this is updated.
- You'll only be able to see the secret one time, so copy it to your clipboard and immediately input it into the Password field in the Enterprise Key Management settings within Egnyte.
Add API Permissions
- From the App page, open the API permissions tab and click + Add a permission.
- In the Request API permissions page, select the Microsoft APIs tab and and choose Azure Key Vault.
- Select the checkbox next to user_impersonation and click Add permissions.
You'll be able to see the newly added permission on the API permissions page.
Create a Key Vault
- From the main, left-hand menu, click + Create a resource.
- Select the Key Vault resource. If you do not see this resource, use the search bar to locate Key Vault.
- Click Create
- Enter a name for the Key Vault, create a new resource group or add the Key Vault to an existing resource group, and click Create.
- Once the new Key Vault has been created, select Keys from the Settings section.
- Click + Generate/Import
- Enter a name for the key, select the desired parameters, ensure the key is enabled, and click Create.
- Once the key is created, you'll need to click New Version to create a new version for the key.
- Now that the key has been finalized, you'll need to copy the following information and input it into the corresponding fields within the Enterprise Key Management settings in Egnyte.
Key Vault name = HSM name
Key name = Key name
Current Version name (long string of letters and numbers) = Key version
Add an Access Policy
- From the Key Vault page, select Access policies under Settings and click + Add new.
- Click the Select principal option, highlight your Egnyte app, and click Select.
- From the Key permissions drop-down, select the following options:
Key Management Operations: Get and List
Cryptographic Operations: Decrypt, Encrypt, Unwrap Key, and Wrap Key
- Click OK and then click Save in the Azure Key Vault form.
- Navigate back to Egnyte and verify all information has been entered in the Enterprise Key Management section. Click Save to verify the set up. If an OK status appears in the settings, the operation was completed successfully!
Can I switch back to having the Enterprise Key managed by Egnyte?
Yes, as long as the key is still accessible in Azure Key Vault. If you delete the key from your Key Vault, it may be impossible to switch and the data in your Egnyte domain could be inaccessible.
What if I delete the key from my Azure Key Vault? Will my data in Egnyte be accessible?
When your users stop accessing the data, the key will still remain in cache for the time you specified in the Cache duration field. After that, the key will be deleted from the cache and your data will become inaccessible. If the key has been deleted from your Azure Key Vault, it will be impossible to recover the access to the domain data (impossible to decrypt the content).
What happens if my Application Secret expires?
When the shared secret expires, your data will become inaccessible until you update it. You'll need to create a new shared secret for the app in Azure Key Vault and enter the new shared secret as the password in the Enterprise Key Management settings within Egnyte.
Can I change the key in Azure Key Vault?
Yes! Simply add a new key in Azure Key Vault and enter the new key name in your Egnyte Enterprise Key Management settings. Once you Save the changes, make sure you get an OK status to ensure it worked correctly.