Bring Your Own Key (BYOK) with Azure Key Vault for Office ...



Bring Your Own Key (BYOK) with Azure Key Vault for Office 365 and AzureOverview technical articleMicrosoft FrancePublished: May 2018Version: 1.1Authors: Philippe Beraud, Daniel Pasquier (Microsoft France)Contributors/Reviewers: Peter DiToro, Eric Portrait (Thales e-Security), Sumedh Barde (Microsoft Corporation) For the latest information on Azure Key Vault, please see azure.en-us/services/key-vault/Copyright ? 2018 Microsoft Corporation. All rights reserved.Abstract: Azure Key Vault allows organizations of any size to notably store and uses – in accordance to the vault’s access policy - their own keys with extreme security thanks to its reliance on industry proven, FIPS compliant Hardware Security Modules (HSMs) from Thales e-Security. In this context, it offers the Bring-Your-Own-Key (BYOK) capability that lets these organizations generate and import their on-premises key, and delegate use privileges for use to a growing number of Microsoft cloud-hosted Office 365 and Azure services that support the integration with Azure Key Vault for service-side encryption, client-side encryption and/or content encryption to protect their data. Microsoft cloud-hosted Office 365 and Azure services’ customers indeed often need to use a key generated by, archived at, and under the control of customer security officers. This requirement may be due to compliance reasons or simply to best practices in key custody.This document provides information about the Bring-Your-Own-Key (BYOK) capability of Azure Key Vault. By following the steps outlined in this document you should be able to successfully prepare your environment to leverage this BYOK capability, enable it and manage your key over the time, and thus start using them with both the Office 365 and Azure services that leverage this capability within your organization to protect your data in compliance with your own security and IT policies in place.Table of Contents TOC \o "1-2" \h \z \u Notice PAGEREF _Toc514137158 \h 3Feedback PAGEREF _Toc514137159 \h 3Introduction PAGEREF _Toc514137160 \h 4Objectives of this paper PAGEREF _Toc514137161 \h 6Non-objectives of this paper PAGEREF _Toc514137162 \h 6Organization of this paper PAGEREF _Toc514137163 \h 6About the audience PAGEREF _Toc514137164 \h 7BYOK at a first glance PAGEREF _Toc514137165 \h 8Understanding the key lifecycle PAGEREF _Toc514137166 \h 8Understanding the restrictions PAGEREF _Toc514137167 \h 9Thales HSMs and Microsoft additions PAGEREF _Toc514137168 \h 9Managing your own key PAGEREF _Toc514137169 \h 12Signing up for an Azure trial PAGEREF _Toc514137170 \h 15Preparing the local environment for Azure PAGEREF _Toc514137171 \h 15Creating the Azure Key Vault resource in your Azure subscription PAGEREF _Toc514137172 \h 18Preparing a disconnected workstation with the Thales HSM PAGEREF _Toc514137173 \h 19Generating your key PAGEREF _Toc514137174 \h 26Transferring your key over the Internet to your HSM-based vault PAGEREF _Toc514137175 \h 36Using your imported key with Office 365 and Azure service PAGEREF _Toc514137176 \h 69Tenant key with Azure Information Protection PAGEREF _Toc514137177 \h 69Enabling and using your Azure Information Protection service tenant PAGEREF _Toc514137178 \h 73Getting usage logs for your key PAGEREF _Toc514137179 \h 74Revoking your key PAGEREF _Toc514137180 \h 75Rolling your key (re-key) PAGEREF _Toc514137181 \h 76Backing up and recovering your key PAGEREF _Toc514137182 \h 76Exporting your key PAGEREF _Toc514137183 \h 77Responding to a breach PAGEREF _Toc514137184 \h 77NoticeFor the latest information that pertains the Bring-Your-Own-Key (BYOK) capability as covered in this document, please refer to the articles How to generate and transfer HSM-protected keys for Azure Key Vault and Planning and implementing your Azure Information Protection tenant key.These articles constitute the reference articles on this capability of Azure Key Vault as covered in this paper.FeedbackFor any feedback or comment regarding this document, please send a mail to AskIPteam@.Introduction A growing number of Microsoft Office 365 and Azure services offers service-side encryption, client-side encryption or content encryption to protect organizations’ data and provide defense-in-depth against offline attacks. To name a few:Azure Information Protection (AIP) for the document protection (files and mails), Exchange Online service encryption (mail-box level encryption) in Office 365,SharePoint Online and OneDrive for Business service encryption in Office 365 (per-file encryption),Dynamics 365 Online service encryption,Azure Data Lake Store service encryption,Azure SQL Always Encrypted,Azure Disk Encryption,Azure Storage Service Encryption,Etc.In terms of control, those services aim at providing the choice if and when data is encrypted, and in the affirmative between a complete service-managed approach that can be activated by a simple click and the ability to specify a tenant cryptographic key in a customer’s managed vault in Azure Key Vault.Such a (tenant) cryptographic key constitutes the master key and root of trust of its encryption model in so far, regardless of the considered service’s artifacts are indeed cryptographically chained to that key. Even if the implementation details may differ from one service to another, this key is typically used to encrypt keys such as storage account keys, data encryption keys, per-document encryption keys, etc. For instance, all Azure Information Protection service artifacts in the organization (per-user keys, per-document encryption keys) are cryptographically chained to that cryptographic key.The integration of the aforementioned services with Azure Key Vault helps safeguard the so-called cryptographic key(s) used by these services once configured to do so. Azure Key Vault streamlines the key management process and enables you to maintain control of keys that access and encrypt your data.NoteFor overview information about Azure Key Vault, see article What is Azure Key Vault?.When generated in a customer’s managed vault in Azure Key Vault, these keys are by design protected by a hierarchy of keys that ends up in hardware security modules (HSMs). For added assurance, you can import (or generate) these keys in HSMs. The import of the key into HSMs for a customer’s managed vault is referred as to the Bring-Your-Own-Key (BYOK) capability.With this option, and thanks to its reliance on industry proven, FIPS compliant HSMs from our partner Thales:You generate your tenant cryptographic key on your premises, using tools of your choice, in compliance with your own Security and IT policies in place.You securely transfer the key from an HSM in your possession to HSMs in Microsoft’s possession for the Azure Key Vault service. The key never leaves the hardware protection boundary. HSMs provide a hardened, tamper-resistant environment for performing secure cryptographic processing, key protection, and key management.While in Microsoft’s possession, your key stays protected by Thales HSMs. Microsoft and Thales have worked together to ensure your key cannot be recovered from Microsoft’s HSMs.Considering the above, you are promised assurance that Microsoft operators cannot see or leak the key during the import as well as during the running steady state.Optionally, in terms of transparency, you have the ability to view logs at any time related to the keys (along with the protected data if relevant in the context). For that purpose, you can indeed configure near real-time logging and thus receive near real-time usage logs from the Azure Key Vault service. You can layer this on top of BYOK to see exactly how and when your key is being used by the above service.NoteFor more information, see article Azure Key Vault Logging. The integration of the aforementioned services with Azure Key Vault thus offer you (the customer IT administrator) multiple levels of control over this tenant cryptographic key so that you can trade off the level of control you desire versus cost and simplicity: As an illustration, and to continue with Azure Information protection that will be further covered at the end of this paper, the Azure Information Protection service generates by default your tenant key and manages the key lifecycle. This is the simplest option. You do not even need to know the existence of your tenant key. You just sign up for the Azure Information Protection service and the rest happens automatically. As an alternative, the integration with Azure Key Vault with the BYOK capability that let you bring your own key as the name indicates. Indeed, Azure Information Protection service’s customers often need to use a key generated by, archived at, and under the control of customer security officers. This requirement may be due to compliance reasons, sometimes because they are migrating from their on-premises Active Directory Right Management Services (AD RMS) infrastructure, or simply to best practices in key custody.Objectives of this paperThis document provides information about the various options available for protecting your tenant cryptographic key for supported service(s) in Office 365 and/or Azure and controlling its usage. More particularly, it provided an in-depth description of the Bring-Your-Own-Key (BYOK) capability and how to enable it in your environment and your related subscription to let you generate, import, and delegate use privileges to Microsoft for use in a supported cloud-hosted service. Furthermore, by following the steps outlined in this document you should be able to successfully prepare your environment to leverage the BYOK capability, enable it and efficiently manage your key over the time, and consequently start using for example Azure Information Protection service within your organization to create and consume protected content in compliance with your own security and IT policies in place. Non-objectives of this paperThis document doesn’t offer a full description of the cloud-hosted services offerings. It rather simply focusses on key aspects in the context of this paper that aims at providing the readers an understanding on how to leverage and enable the Bring-Your-Own-Key (BYOK) in your environment and your related subscription of the cloud-hosted anization of this paperTo cover the aforementioned objectives, this document is organized by themes, which are covered in the two following sections: REF _Ref367712786 \h \* MERGEFORMAT BYOK at a first glance. REF _Ref367376710 \h \* MERGEFORMAT Managing your own key. REF _Ref476645078 \h \* MERGEFORMAT Using your imported key with Office 365 and Azure service.About the audienceThis document is intended for IT professionals and system architects who are interested in understanding and using the Bring-Your-Own-Key (BYOK) capability of Azure Key Vault and controlling its usage by a growing number of Office 365 and Azure services that support such an integration path with Azure Key Vault.BYOK at a first glanceWith the Bring-Your-Own-Key (BYOK) option of Azure Key Vault:You create an HSM-based vault for a specific Azure region in a specific geography.You generate your key on your premises, per your IT policies.You securely transfer the key from an HSM in your possession to HSMs that are owned and managed by Microsoft as provided by Azure Key Vault for your vault. Through this process your key never leaves the hardware protection boundary.When you transfer your key to Microsoft, it stays protected by Thales HSMs. Microsoft has worked with Thales to ensure your key cannot be recovered from Microsoft’s HSMs and cryptographic attestations are provided to ensure it.Optionally, you can sign up to receive near-real-time usage logs from Azure Key Vault. You can layer this on top of BYOK to see exactly how and when your key is being used with Azure Key Vault.NoteFor additional information, see article How to generate and transfer HSM-protected keys for Azure Key Vault. Understanding the key lifecycleThe following diagram displays the key lifecycle and how the above capabilities fit together. Understanding the restrictionsOrganizations that have an IT-managed Microsoft Azure subscription can create a vault in Azure Key Vault, and use BYOK (and logging). (A blob storage is required to store the logs, see article Azure Key Vault Logging).Almost every application or service that are integrated with the Azure Key Vault will work seamlessly when you do BYOK (and logging). That includes cloud services such as:Azure Information Protection (AIP) for the document protection (files and mails), Exchange Online service encryption (mail-box level encryption) in Office 365,SharePoint Online and OneDrive for Business service encryption in Office 365 (per-file encryption),Dynamics 365 Online service encryption,Azure Data Lake Store service encryption,Azure SQL Always Encrypted,Azure Disk Encryption,Azure Storage Service Encryption,Etc.Both BYOK and logging allow the organization to have full control over their keys in their vault in their Azure subscription. The advanced key management capabilities described here are a great fit for such enterprises.Thales HSMs and Microsoft additionsAzure Key Vault uses Thales FIPS 140-2 level 2 validated hardware security modules (HSMs) (hardware and firmware) to protect your keys in its possession meaning that Microsoft Azure based HSMs have been independently validated to the world’s most widely recognized benchmark for cryptographic modules. Thales solutions currently protect data for 19 of the 20 largest banks (and secure more than 80 percent of worldwide payment transactions), 4 out of the top 5 aerospace companies, and 21 NATO countries. Historically, key management privileges in an HSM have been an all-or-nothing model. The privileges to generate/import a key, to authorize who can use it, to scale out your key across HSMs, and to recover imported keys go hand-in-hand. This model breaks if you have to let a cloud service such as the Azure Information Protection service use your key at scale.Microsoft has worked with Thales to separate these, design and implement a secure key import process that would accomplish several goals:Spare you the necessity of purchasing your own HSM and co-locating it in the Azure Key Vault service data center. Your keys can be loaded into the Azure Key Vault service’s Thales nShield family HSMs and used on your behalf without regard to which HSM is doing the work.Securely import your generated key without exposure of key plaintext during the import process outside of the boundary of a Thales nShield HSM.Elimination to the greatest degree possible of the ability for Microsoft to recover plaintext copies of customer keys. This results today in an effective secure key import process where you can import your key into our HSMs, we can scale out the key across the Microsoft’s HSMs and manage the Microsoft’s HSMs, and nobody, not even Microsoft, has the right to recover the keys from the Microsoft HSMs. This is enforced inside the HSMs. This let the Azure Key Vault service scale up at short notice to meet your organization’s usage spikes. In addition, you retain control over the key lifecycle since you generate the key and transfer it the Microsoft’s HSMs for the geographic region in which is located your vault.Together these create a unique and powerful offer that enables you to get the benefits of hosted services without relinquishing control over your keys. This required a heavy investment on the part of Microsoft in using the Thales’ Security World features.Leveraging the Thales’ Security World as Best PracticeThales nShield HSMs use a common key management framework: the Thales’ Security World. Thales’ security world framework delivers cryptographic key management features that can scale, are robust and are flexible enough to handle real-world deployments. This powerful solution gives the ability to handle an unlimited number of keys and provides the functions necessary to manage keys throughout the entire key lifecycle from creation to operational use, back-up, recovery, archival and finally destruction.Security World delivers a common set of features across all Thales nShield HSMs:Security. All HSMs are designed to ensure that there is no single point of compromise within the key management environment. All cryptographic functions take place within validated and certified HSM. Central to HSM security is two-factor authentication for administrators and split responsibility or role separation which are supported by threshold sets of smartcards, i.e. the Administrator Card Sets (ACS). This means K out of a total of N cards must be presented to authorize a specific cryptographic function or administrative activity significantly reducing the risk of malicious insiders within the Azure Key Vault service infrastructure.Scalability. The fundamental requirement of any cloud hosted service is flexibility and scalability and the Thales security world key management framework provides unique ability to provision keys and replicate keys across multiple devices to satisfy the capacity requirements of Azure Key Vault service’s customer. Security world is replete with functions that simplify the process of securely sharing keys among an array of disparate types of Thales HSMs joined to a specific security world. This enables Microsoft to load and use customer keys in the HSMs appropriate to the task at hand dynamically without customer interaction.Fine Grained Control of Key Usage. Every key protected by a Thales HSM has an associated Access Control List (ACL) that defines the allowable uses of that key. Authorization to use individual application keys can be tightly controlled allowing different levels of security to be assigned to individual keys in direct relation to their importance. Together these controls ensure that individual keys or groups of keys can be isolated from one another through logical separation. These flexible controls help to reinforce the individual requirements of a given security policy, allowing access to individual keys only by authorized users or servers, avoiding the need to impose rigid partitioning within an HSM.Resilience. Security world technology ensures that there is no single point of failure in any Thales HSM deployment. Multiple HSMs can be deployed on a single server or across the network to provide secure fail-over. If an HSM is damaged or stolen, keys can be recovered easily by initializing a new module. The security world key management framework has a range of built-in controls to simplify back-up and recovery – all essential aspects of a robust cloud hosted service such as Azure Key Vault.Managing your own keyWith the Bring-Your-Own-Key (BYOK) capability, Microsoft set out to create mechanisms that enable you to import keys generated at your premises while offering assurances that your generated key material cannot readily be recovered, read, or exported by Azure Key Vault hosting services personnel. Thanks to it, you will generate your own key and maintain the key for long term key recovery purposes. The pre-requisites for this capability are as follows:Pre-requisiteDescriptionMicrosoft Azure service subscriptionYou must have an active subscription to Microsoft Azure. Azure Key Vault Premium service tier to support HSM-protected keysYou must have created a HSM-based Key Vault (Premium SKU) in the active subscription. For more information about the service tiers and related capabilities for Azure Key Vault, see the Azure Key Vault Pricing Web site.Thales HSM, smartcards, and support softwareYou must have access to a Thales nShield Hardware Security Module and basic operational knowledge of Thales nShield HSMs. Any model will do. See the list of compatible models, or purchase an HSM if you do not have one.(Optional) Usage logging feature To exercise the Usage Logging feature, you must have sufficient Azure storage to store your logs in the Azure subscription.The rest of this document will guide you through the entire process to benefit from such a capability.The procedures to generate and use your own key requires some extra configuration steps, such as downloading and using a dedicated toolset and Windows?PowerShell cmdlets. NoteWindows PowerShell is a task-based command-line shell and scripting language that is designed for system/service administration and automation. It uses administrative tasks called cmdlets. Each cmdlet has required and optional arguments, called parameters, that identify which objects to act on or control how the cmdlet performs its task. You can combine cmdlets in scripts to perform complex functions that give you more control and help you automate the administration of Windows, applications and services in the Cloud. It has become a common way to manage the latest generation of Microsoft products and services.For more information about Windows PowerShell, please see the Windows PowerShell Web site, the Windows PowerShell online help, and the Windows PowerShell Weblog Windows PowerShell Software Development Kit (SDK) that includes a programmer’s guide along with a full reference. However, you do not have to physically be in a Microsoft facility to transfer your key. Security is maintained by the following methods: You generate the key from an offline workstation, which reduces the attack surface.The key is encrypted with a Key Exchange Key (KEK), which stays encrypted until it is transferred to the Azure Key Vault service’s HSMs that pertain to your HSM-based vault. Only the encrypted version of your key leaves the original workstation.The BYOK toolset sets properties on your key that binds your key to the Azure Key Vault service’s security world for the corresponding geographic region. So, after the Azure Key Vault service’s HSMs receive and decrypt your key, only these HSMs can use it. Your key cannot be exported. This binding is enforced by the Thales HSMs.The Key Exchange Key (KEK) that is used to encrypt your key is generated inside the Azure Key Vault service’s HSMs and is not exportable. The HSMs enforce that there can be no clear version of the KEK outside the HSMs. In addition, the BYOK toolset includes attestation from Thales that the KEK is not exportable and was generated inside a genuine HSM that was manufactured by Thales.The BYOK toolset includes attestation from Thales that the Azure Key Vault service’s security world was also generated on a genuine HSM manufactured by Thales. This proves to you that Microsoft is using genuine hardware.Microsoft uses separate KEKs as well as separate security worlds in each geographical region, which ensures that your key can be used only in data centers in the geographical region in which you encrypted it. For example, a key from a European customer cannot be used in data centers in North America or Asia-Pacific. As of this writing, available geographic regions are as follows: United States,Europe, Asia,Latin America,Japan,Australia,Azure Government,Canada,Germany, India,United KingdomNoteYour key can safely move through untrusted computers Microsoft Security Strategy networks because it is encrypted and secured with access control level permissions, which makes it usable only within your HSMs and Microsoft’s HSMs for Azure Key Vault. You can use the scripts that are provided in the BYOK toolset to verify the security measures and read more information about how this works from Thales: How to generate and transfer HSM-protected keys for Azure Key Vault. To generate your key in your own security world thus assuring that this critical key is never exposed outside of compatible Thales HSMs, you can take advantage of Thales affordable USB connected HSM, the nShield Edge. In this case, you can assure that custody of your tenant key is maintained according to the strictest industry best practices without breaking the budget.The nShield Edge device combines a full-featured HSM with a smart card reader, which you can use to securely store and access your organization’s high-value occasional-use keys. The nShield Edge device has been designed and tested for deployments where one device is used with one workstation or virtual machine (VM).The Thales nShield Edge will be used throughout this paper for illustrating the BYOK capability of Azure Key Vault (even though any other model from Thales e-Security will do).In the outlined configuration, the nShield Edge device will be connected to a disconnected (offline) workstation. An additional Internet-connected workstation will be consequently needed to perform all operations that specifically relate to the Azure Key Vault service.Signing up for an Azure trialIf you do not already have an Azure account and simply would like to test and evaluate the procedure, you can sign up for a free one-month trial. NoteIf you have an MSDN Subscription, see article Azure benefit for MSDN subscribers.NoteOnce you have completed your trial tenant signup, you will be redirected to the Azure account portal and can proceed to the Azure management portal by clicking Portal at the top right corner of your screen. At this stage, we assume you have a valid Azure subscription with the administrative credentials.Preparing the local environment for AzureAzure PowerShell is a set of modules that provide cmdlets to manage Azure with Windows PowerShell. You can use the cmdlets to create, test, deploy, and manage solutions and services delivered through the Azure platform. In most cases, the cmdlets can be used for the same tasks as the Azure portal, such as creating and configuring your HSM-based Azure Key Vault in the context of the paper.The configuration of Azure PowerShell on a local computer consists of:Installing Azure PowerShell, Verifying that Azure PowerShell can run scripts,Note that this local computer must have Internet connectivity.Installing Azure PowerShell The preferred way to install Azure PowerShell is to use PowerShell Gallery. NoteInstalling items from the PowerShell Gallery requires the latest version of the PowerShellGet module, which is available in Windows 10, in Windows Management Framework (WMF) 5.0, or in the MSI-based installer (for PowerShell 3 and 4). If the PowerShellGet module is not already available in your current configuration, it is available at install the latest Azure PowerShell from the PowerShell Gallery, proceed with the following steps:Open an elevated Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt.Run the following command to install the Azure Resource Manager (ARM) modules:PS C:\> Install-Module AzureRMNoteFor information on Azure Resource Manager (ARM), see article Azure Resource Manager overview.Run the following command to make sure the Azure PowerShell module is available after you install:PS C:\> Get-Module –ListAvailableAt this stage, you can run the cmdlets from Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt.Connecting to your Azure subscription with Azure PowerShellTo connect to your Azure subscription with the above cmdlets, proceed with the following steps:Open a Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt.Run the following command:PS C:\> Add-AzureRmAccountType “Y”. A Sign in to your account dialog brings up.Type the email address. Depending on your email address, you may be redirected to an alternative sign-in page.Type the password associated with your account and click Sign in.Azure authenticates you, saves the credential information, and then closes the dialog. A message states that your subscription is now selected as the default subscription.Once connected to your default subscription, you can use the built-in Help system to list and get help about the cmdlets in the Azure PowerShell module. To list the available cmdlets for ARM, run the following command:PS C:\> help AzureRMYou can then display help about a specific cmdlet by typing help followed by the name of the cmdlet.NoteFor additional information, see articles Get started with Azure PowerShell cmdlets and Manage Azure resources with PowerShell and Resource Manager.Creating the Azure Key Vault resource in your Azure subscriptionYour first will have to create to an Azure Resource Group and an Azure Key Vault in your Azure subscription.Creating a new Azure Resource Group for use with Azure Key Vault Before you can create an Azure Key Vault, you must first create an Azure Resource Group.To create an Azure Resource Group, proceed with the following steps:Open an elevated Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt.Connect to your Azure subscription as per section § REF _Ref471122430 \h \* MERGEFORMAT Connecting to your Azure subscription with Azure PowerShell. When prompted, specified your administrative credentials to log into your Azure account. NoteAfter successfully logging into the Azure account, details about the tenant are displayed. Copy the Subscription Id for use in the next command.Run the following commands in order:PS C:\> Set-ExecutionPolicy RemoteSigned PS C:\> Set-AzureRmContext -SubscriptionId "<SubscriptionID copied previously>" PS C:\> New-AzureRmResourceGroup -Name 'Litware369ResourceGroup' –Location 'North Europe'NoteIn the last command, set the Location argument with your current location.Creating a new HSM-based Azure Key Vault To create a HSM-based Azure Key Vault in the resource group, run the following command from the previous elevated Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt, run the following command: PS C:\> New-AzureRmKeyVault -VaultName 'Litware369KeyVaultHSM' -ResourceGroupName 'Litware369ResourceGroup' -Location 'North Europe' -SKU PremiumImportant noteThe VaultName value must be unique across Azure as each vault will get a Vault URI like . You must choose a unique vault name for this command which will be referenced in later commands.Important noteTo enable the creation of HSM-stored keys, the Premium Sku must be added when the Azure Key Vault is created.Preparing a disconnected workstation with the Thales HSMInstalling the nCipher (Thales) support softwareTo install the Security World Software for nShield on your offline workstation, proceed with the following steps:Insert the supplied Security World Software for nShield DVD-ROM.NoteThe Security World for nShield DVD-ROM contains a number of documentation items, including i) the nShield User Guide, which describes how to install and use the Security World Software, and ii) the Release Notes, which list the platforms and Security World Software features supported by the nShield Edge device and any known issues.Right-click the setup program SecWorld-win-use.exe and select Run as administrator. A Security World Software for nShield Setup wizard appears.Click Next.In the License Agreement page, click Yes.In the Select Features page, uncheck the components nCipher Java Support (including KeySafe) and nCipherKM JCA/JCE provider classes and click Next. The Security World Software for nShield Setup wizard now sets up the Thales middleware including CSP, KSP CNG, PKCS#11, and OpenSSL cryptographic providers. In the nCipher MSCAPI page, click Next. The Security Assurance Mechanism (SAM) configures the PKCS#11 library to prevent the use of insecure keys. In the nCipher PKCS#11 page, ensure Yes is selected and click Next.In the nCipherSNMP page, click Next.Click Finish.Once the setup is completed, we advise to reboot the workstation.Attaching the Thales HSMTo attach the Thales HSM to the disconnected workstation, proceed with the following steps:Connect the nShield Edge device to your disconnected workstation using the supplied USB cable. Always inspect the USB cable and device before use, specifically the Thales logo hologram in the tamper window shown below. If there are any signs of tampering, do not use the cable and device.Open an elevated command prompt and run the following command: C:\Windows\System32> cd C:\Program Files (x86)\nCipher\nfast\binRun the following command to query the status of both the middleware and the HSM:C:\Program Files (x86)\nCipher\nfast\bin> enquiry.exe C:\Program Files (x86)\nCipher\nfast\bin> enquiry.exeServer: enquiry reply flags none enquiry reply level Six serial number EA67-52ED-38F9 mode operational version 3.67.11 speed index 12 rec. queue 442..642 level one flags Hardware HasTokens version string 3.67.11cam8, 2.61.1cam5 built on Jul 8 2015 15:00:16 checked in 00000000487debd5 Wed Jul 16 14:38:45 2008 level two flags none max. write size 8192 level three flags KeyStorage level four flags OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds JobFragmentation LongJobsPreferred Type2Smartcard ServerHasCreateClient HasInitialiseUnitEx Type3Smartcard HasKLF2 module type code 0 product name nFast server device name EnquirySix version 4 impath kx groups feature ctrl flags none features enabled none version serial 0 remote server port 9004Module #1: enquiry reply flags none enquiry reply level Six serial number EA67-52ED-38F9 mode operational version 2.61.1 speed index 12 rec. queue 9..152 level one flags Hardware HasTokens version string 2.61.1cam5 built on Jul 8 2015 15:00:16 checked in 000000004856847b Mon Jun 16 17:19:23 2008 level two flags none max. write size 2038 level three flags KeyStorage level four flags OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds FastPollSlotList HasSEE HasKLF HasShareACL HasFeatureEnable HasFileOp HasLongJobs ServerHasLongJobs AESModuleKeys NTokenCmds JobFragmentation LongJobsPreferred Type2Smartcard ServerHasCreateClient HasInitialiseUnitEx Type3Smartcard HasKLF2 module type code 11 product name nC4031Z device name #1 Serial port \\.\com4 EnquirySix version 6 impath kx groups DHPrime1024 DHPrime3072 feature ctrl flags LongTerm features enabled StandardKM version serial 26 kneti hash abc01354f3af2c53333f71aa90fdca586f7009d8 rec. LongJobs queue 8 SEE machine type ARMtype2 supported KML types DSAp1024s160 DSAp3072s256 hardware status unsupported driver C:\Program Files (x86)\nCipher\nfast\bin>The Server section should be "operational". This means that the hard server, i.e. a service named nfast server, is running correctly. The second section entitled Module #1 displays the HSM status. The status should be operational too. If not, restart your workstation.Generating your keyBy default, Microsoft generates your keys when you subscribe to the Azure Information Protection service. If you require higher security, wish to comply with best practices and security standards, and ensure that there is no single point of compromise within the key management environment, you may manage your own key material with Thales ‘s HSMs, by following this section to Bring-Your-Own-Key (BYOK).You generate your key on your own premises with tools provided by Thales or your custom tools. The procedure described below applies to customers starting from scratch. You will need to customize this procedure if you need to reuse an existing key or if your organization has specific policies around handling of keys. If this is the case contact the Azure Key Vault service support for guidance.Perform all steps in this section on your offline workstation.Creating a security worldBy using Thales security world, the root of trust belongs to the entity, e.g. the customer, who owns the Security World. This ownership is instantiated technically in several system objects:The Security World master keys (KMSW, KNSO, etc.). AES 256 keys randomly generated by the HSM upon creation of the security world.The World File. A disk file that contains strongly encrypted key tokens for all of the security world infrastructure keys, i.e. KMSW, KNSO, etc. The Administrative Card Set (ACS). A set of smart cards that contains the tokens that allow an nShield to load the infrastructure keys. The ACS tokens are split with a K of N scheme. During this initialization step, you’ll be prompted to enter three blank cards and pins for each. These cards will become the Administrator Card Set (ACS) for the new security world. Administrator card sets are crucial: an unusable card set will render the security world unusable, therefore all keys protected by that security world would become unusable as well. Each card set consists in a number of smart cards N, (3 in the illustration below), of which a smaller number K, (2 in the illustration below), is required to authorize an action. The required number K is usually referred as the quorum.NoteAs illustrated in the example below, the value for K should be less than N. We do NOT recommend creating card sets in which K is equal to N in so far as an error encountered on one card would render the whole card set unusable. If your ACS became unusable through such an error, you would have to replace the Security World and generate new keys.In many cases, it is desirable to make K greater than half the value of N (for example, if N is 7, to make K 4 or more). Such a policy makes it harder for a potential attacker to obtain enough cards to access the Security World. Choose values of K and N that are appropriate to your situation.The total number of cards used in the ACS must be a value in the range 1 – 64.It is advised to clearly identify the card set with stickers indicating for each smartcard, its id, the security officer it belongs to and any additional information you may consider useful in your own specific situation.At the end of this step, a world file will be created and stored into your file system at the following location: %NFAST_KMDATA%\local: C:\ProgramData\nCipher\Key Management Data\local.To create the Security World, proceed with the following steps:Change the HSM’s mode to InitializationA: Mode buttonSelect a mode - the mode changes only when you press the Clear button (G).B: Mode LEDsShow the current mode or selected modeC: B type USB portFor connecting the device to the workstationD: Card slotFor inserting the required smart cardE: Card slot LEDLight green when a smart card is insertedF: Status LEDShow the status of the deviceG: Clear buttonClear the device’s memory and changes the selected mode Use the Mode button (A) to highlight the required mode and within a few secondsPress and hold the Clear button (G) for a couple of seconds. If the mode changes, the new mode’s LED stops flashing and remains lit. The Status LED (F) might flash irregularly for a few seconds and then flashes regularly when the device is ready.Otherwise, the device remains in the current mode, with the appropriate mode LEDs (B) lit:RedIn Maintenance modeRed flashingMaintenance mode selectedAmberIn Initialization modeAmber flashingInitialization mode selectedGreenIn Operational modeGreen flashingOperational mode selectedOpen a command prompt and navigate to the folder C:\Program Files (x86)\nCipher\nfast\bin.Run the following command from the command prompt: C:\Program Files (x86)\nCipher\nfast\bin> new-world --initialize --km-type=rijndael --module=1 --acs-quorum=2/3When prompted Insert/change card in module (or change module mode), insert the first smart card (Administrator Card #1) and press ENTER.When prompted Enter new passphrase, type a PIN value for the first smart card, for example "9351" and press ENTER. The first smart card is now configured.When prompted Remove card, remove the smart card.Insert the second smart card and press ENTER.When prompted Enter new passphrase, type a PIN value for the second smart card, for example "9351" and press ENTER. The second smart card is now configured.When prompted Remove card, remove the second smart card.Insert the third and last smart card.When prompted Enter new passphrase, type a PIN value for the third smart card, for example "9351" and press ENTER. The third smart card is now configured.C:\Program Files (x86)\nCipher\nfast\bin> new-world --initialize --km-type=rijndael --module=1 --acs-quorum=2/315:39:28 WARNING: Module #1: preemptively erasing module to see its slots!Create Security World: Module 1: 0 cards of 3 written Module 1 slot 0: empty Module 1 slot 0: unformatted card Module 1 slot 0:- passphrase specified - writing card Module 1: 1 card of 3 written Module 1 slot 0: remove already-written card #1 Module 1 slot 0: empty Module 1 slot 0: unformatted card Module 1 slot 0:- passphrase specified - writing card Module 1: 2 cards of 3 written Module 1 slot 0: remove already-written card #2 Module 1 slot 0: empty Module 1 slot 0: unformatted card Module 1 slot 0:- passphrase specified - writing cardCard writing complete.security world generated on module #1; hknso = f618d3d2d638ac344622f586fdda03d24d5e1a48c:\Program Files (x86)\nCipher\nfast\bin>On the HSM, change the mode back to Operational mode.Press and hold the Clear button (G) for a couple of seconds. If the mode changes, the new mode’s LED stops flashing and remains lit. The Status LED (F) might flash irregularly for a few seconds and then flashes regularly when the device is ready.Finally, run the following command to verify your installation:C:\Program Files (x86)\nCipher\nfast\bin> nfkminfo.exeC:\Program Files (x86)\nCipher\nfast\bin>nfkminfo.exeWorld generation 2 state 0x17270000 Initialised Usable Recovery !PINRecovery !ExistingClient tate RTC NVRAM FTO !AlwaysUseStrongPrimes !DisablePKCS1Padding !PpStrengthCheck SEEDebug n_modules 1 hknso f618d3d2d638ac344622f586fdda03d24d5e1a48 hkm 48795e6888a55b25ca9d1ef15eb52613be2deed5 (type Rijndael) hkmwk 1d572201be533ebc89f30fdd8f3fac6ca3395bf0 hkre fe2eff36f834f92f9ab63c3da536c900300b3b33 hkra 7601d9e3d1d5f49e3fe60949ccb8ba227995577c hkmc e5e4fe628fab8e98d9ff025854994b79cb8c4608 hkrtc 7ed74e42e4a17137a2645dcfda56526d16bf1f9f hknv 008ec43c8029f0531e52f581acb020df9febebf8 hkdsee 1bf51d3d1c49583580d9e19175014e8326e98aa9 hkfto d10b122caa9797b1cd5dc12e6a9b274d088819bd hkmnull 0100000000000000000000000000000000000000 ex.client none k-out-of-n 2/3 other quora m=2 r=2 nv=2 rtc=2 dsee=2 fto=2 createtime 2017-02-28 14:46:24 nso timeout 10 min ciphersuite DLf1024s160mRijndael min pp 0 charsModule #1 generation 2 state 0x2 Usable flags 0x10000 ShareTarget n_slots 2esn EA67-52ED-38F9 hkml 051bbbdf2f33cbc80c8297824ecfd4a0441d1b90 Module #1 Slot #0 IC 0 generation 1 phystype SmartCard slotlistflags 0x2 SupportsAuthentication state 0x2 Empty flags 0x0 shareno 0 shares error OKNo CardsetModule #1 Slot #1 IC 0 generation 1 phystype SoftToken slotlistflags 0x0 state 0x2 Empty flags 0x0 shareno 0 shares error OKNo CardsetNo Pre-Loaded ObjectsC:\Program Files (x86)\nCipher\nfast\bin>The above World section corresponds to the aforementioned Security World file “world” on the offline workstation. This file is located under the path %NFAST_KMDATA%\local, which corresponds to the folder C:\ProgramData\nCipher\Key Management Data\local.The first section shows the status of the Security World:state must be marked as Initialised Usable. Keys’s hashes (hknso, hkm, hkmwk, hkre, hkra, hkmc, hkrtc, hknv, hkdsee, and hkfto) must be non-zero values.k-out-of-n is the quorum configured during the new-world process.The second section marked as Module#1 shows the status of the HSMstate usable indicated that the correct security world is present. At this stage, backup the world file, the Administrator Card Set, and their PINs into a safe location. It is wise to have a Security Policy to manage the card set and to keep it well protected. No single person should have access to more than one card (separation of duties). As already outlined - but it’s worth putting some emphasis on this - Administrator Card sets are crucial: an unusable card set will render the Security world unusable, therefore all keys protected by that Security World would become unusable as well. Installing the Thales CNG providerYou now need to install the Thales CNG provider onto the disconnected workstation as per the Thales documentation with the Thales cngregister program and point it to the new Security World.To install the Thales CNG provider, proceed with the following steps:Open a command prompt and navigate to the folder C:\Program Files (x86)\nCipher\nfast\bin:Run the following command from the command prompt: C:\Program Files (x86)\nCipher\nfast\bin> cngregister.exeC:\Program Files (x86)\nCipher\nfast\bin>cngregister.exeEllipticCurve not enabled on module 1Provider 'nCipher Primitive Provider' registered successfullyAlgorithm SHA1 registered successfullyAlgorithm SHA256 registered successfullyAlgorithm SHA384 registered successfullyAlgorithm SHA512 registered successfullyAlgorithm SHA224 registered successfullyAlgorithm MD5 registered successfullyAlgorithm AES registered successfullyAlgorithm 3DES registered successfullyAlgorithm 3DES_112 registered successfullyAlgorithm DES registered successfullyAlgorithm RC4 registered successfullyAlgorithm RSA registered successfullyAlgorithm DSA registered successfullyAlgorithm DH registered successfullyAlgorithm RNG registered successfullyProvider 'nCipher Security World Key Storage Provider' registered successfullyInterface KEY_STORAGE registered successfullyCreated nShieldServiceAgent Run registry entryC:\Program Files (x86)\nCipher\nfast\bin>Creating a new keyYou can now generate a CNG key using the Thales generatekey and cngimport programs. Replace the label “test” used hereafter in the illustrations with a label of your choice. This label is an identifier of your key. We advise to use RSA key, with a length of 2048. NoteWe support 1024-bit RSA keys for existing AD RMS customers who have such keys and are migrating to the Azure Information Protection service. To generate your key, proceed with the following steps:Open a command prompt and navigate to the folder C:\Program Files (x86)\nCipher\nfast\bin:Run the following command from the command prompt: C:\Program Files (x86)\nCipher\nfast\bin> generatekey simple type=RSA size=2048 protect=module ident=test plainname=test nvram=no pubexp=NoteThe pubexp is left blank (default) in this illustration, but you can fill in a specific value as per the Thales documentation. Please note that it is possible to simply enter generatekey simple and then follow the instructions. You are guided through the process. Eventually, run the following command:C:\Program Files (x86)\nCipher\nfast\bin> cngimport --import -M --key=test -–appname=simple testC:\Program Files (x86)\nCipher\nfast\bin> cngimport --import -M --key=test -–appname=simple testFound key 'TEST'Importing NFKM key.. doneC:\Program Files (x86)\nCipher\nfast\bin>As previously mentioned, replace the label “test” with the same value that was used for the label of your choice.Use the “-M” option so that the key is usable at the end. Without this, the resultant key will be a user-specific key for the current user.This will create a Tokenized Key file in your %NFAST_KMDATA%\local folder with a name starting with “key_caping_machine--” followed by a GUID, e.g. key_caping_machine—dc46f6825026261258ddd8b30b470af68bddadf9. This file contains an encrypted key. This allow CNG to work with the key you have generated.List the keys that are available and check the import has been successfully by running the following command:C:\Program Files (x86)\nCipher\nfast\bin> cnglist --list-keysTEST: RSA machineC:\Program Files (x86)\nCipher\nfast\bin>Backup this Tokenized Key File in a safe location.Important noteWhen you subsequently transfer your key to the Azure Key Vault service, Microsoft will have a non-recoverable copy of your key. This means that nobody can retrieve your key from the HSMs at Microsoft. This allows you to retain exclusive control over your key. Therefore, it becomes extremely important that you back up your key and security world safely. Contact Thales for guidance on best practices for this. Transferring your key over the Internet to your HSM-based vaultIf you generated your own key, you must transfer it to your HSM-based vault in the Azure Key Vault service before you can use it from your vault. This section depicts the procedures to follow in order to transfer your tenant key over the Internet to your HSM-based vault. Transferring the key over the Internet requires an Internet-connected workstation in addition to the disconnected workstation.You must know your Subscription ID.Downloading the BYOK toolsetTo download the BYOK tools for Microsoft Rights Management service (BYOK toolset), proceed with the following steps:Open a browsing session and from the Microsoft Download Center, download the Azure Key Vault BYOK toolset for your geographic region. The package is named KeyVault-BYOK-Tools-Europe.zip for Europe, KeyVault-BYOK-Tools-UnitedStates.zip for the United States, KeyVault-BYOK-Tools-AsiaPacific.zip for?Asia-Pacific, etc. As of this writing, eleven packages are currently available for the supported geographic region.Regardless of the packages, this toolset includes the following:A Key Exchange Key (KEK) package that has a name beginning with "BYOK-KEK-pkg-". A Security World package that has a name beginning with "BYOK-SecurityWorld-pkg-". A python script named verifykeypackage.py.A command line executable named KeyTransferRemote.exe and associated DLLs.A Visual C++ redistribution package named vcredist_x64.exe.Copy the toolset content to a USB drive or other portable storage, for example the E: drive in our illustration. You will need to install this by plugging the USB drive on your disconnected workstation as per next section.Installing the BYOK toolset on the disconnected workstationPerform all steps in this section on your disconnected workstation.To install the BYOK toolset, proceed with the following steps:Plug the USB drive on your workstation and copy the previously downloaded BYOK toolset from the USB drive into any folder on the workstation, for example C:\Program Files\BYOK_TOOLSET in our configuration. Open a command prompt ant run the following commands: c:\Users\Administrator>cd %ProgramFiles%c:\Program Files>mkdir BYOK_TOOLSETc:\Program Files>robocopy /mir E:\ "%ProgramFiles%\BYOK_TOOLSET"The USB drive correspond to the E: drive letter in our configuration. Adapt the command to reflect your current configuration.From the previous folder, run vcredist_x64.exe to install the Visual C++ runtime components for Visual?Studio?2013. A Microsoft Visual C++ 2013 Redistributable (x64) opens up.Click I agree to the license terms and conditions, and then click Install.Click Close.Validating the downloaded package on the disconnected workstationThis step is optional. You would do this if you have doubts about the integrity of the toolset you downloaded.On your disconnected workstation, proceed with the following steps:Ensure that the nShield Edge device is connected to your disconnected workstation using the supplied USB cable, which should be the case at this stage if you’ve followed the instructions in order. The HSM is indeed required to run the provided tooling to verify the downloaded package.Important noteA security world MUST also have been created as per section REF _Ref367700402 \h \* MERGEFORMAT Creating a security world before in this document. A fully initialized HSM is indeed required to verify the downloaded package. This should also be normally the case at this stage if you’ve followed the instructions in order.Open elevated command prompt and run the following command to add the python binary in the PATH environment variable:c:\Windows\system32> set PATH=%PATH%;"%nfast_home%\bin";"%nfast_home%\python\bin"Still from the command prompt, navigate to the folder where the toolset has been copied to:c:\Windows\system32> cd %ProgramFiles%\BYOK_TOOLSETc:\Program Files\BYOK_TOOLSET>_Run the verifykeypackage.py script to validate that:The Key Exchange Key (KEK) included the toolset is generated in a genuine Thales HSM. The Azure Information Protection service’s security world, whose hash is included in the toolset, was generated in a genuine Thales HSM.The Key Exchange Key (KEK), which will encrypt your key during upload, is non-exportable.c:\Program Files\BYOK_TOOLSET> python verifykeypackage.py -k .\<KEK> -w .\<SecurityWorldpackage>Where: <KEK> is the Key Exchange Key (KEK) package for your geographic region: BYOK-KEK-pkg-EU-1 for Europe.BYOK-KEK-pkg-NA-1 for the United States.BYOK-KEK-pkg-AP-1 for Asia-Pacific.Etc.<SecurityWorldpackage> is the Security World package for your geographic region: BYOK-SecurityWorld-pkg-EU-1 for Europe.BYOK-SecurityWorld-pkg-NA-1 for the United States.BYOK-SecurityWorld-pkg-AP-1 for Asia-Pacific.Etc.This correspond to the following command in our configuration:c:\Program Files\BYOK_TOOLSET> python verifykeypackage.py -k .\BYOK-KEK-pkg-EU-1 -w .\BYOK-SecurityWorld-pkg-EU-1C:\Program Files\BYOK_TOOLSET>python verifykeypackage.py -k .\BYOK-KEK-pkg-EU-1 -w .\BYOK-SecurityWorld-pkg-EU-1*****Input Parameters******Key package file: '.\BYOK-KEK-pkg-EU-1'World package file: '.\BYOK-SecurityWorld-pkg-EU-1'*****Read Key Package****** Finished reading the required fields from the key package...*****Read World Package****** Finished reading the required fields from the world package...*****Verify Warrant for the key***********Verify Warrant for the world***********Verify generation info for the Key****** Checking ESN in the warrant and key data... Get KLF from the warrant... Importing the KLF public key... Checking the KLF hash... Verify the module state message using KLF... Deserialize the module state message... Get KML from key generation certificate... Import KML public key... Check the KML hash... Verify the generation certificate using KML... Deserialize the generation certificate... Compare key hash from the package and the generation certificate... Load the public blob for KEK... Compare KEK hash from the package and the generation certificate... Verify that KEK ACLs are as expected...*****Verify generation info for the world****** Checking ESN in the warrant and key data... Get KLF from the warrant... Importing the KLF public key... Checking the KLF hash... Verify the module state message using KLF... Deserialize the module state message... Get KML from key generation certificate... Import KML public key... Check the KML hash... Verify the generation certificate using KML... Deserialize the generation certificate... Compare key hash from the package and the generation certificate...=========================================================================== VERIFICATION SUCCESSFUL=========================================================================== * Security world chains up to the Thales root * Key Exchange Key chains up to the Thales root * Key Exchange Key is blobbed to the verified security world * Key Exchange Key ACLs are as expected===========================================================================Verified Security World Generation Certificate Information===========================================================================Root signer key hash: 59178a47 de508c3f 291277ee 184f46c4 f1d9c639Verify at Hash: b3fc319f b23c9db7 e9248c27 f5967550 da7ecce0--------------------------------------------------------------===========================================================================Verified Key Exchange Key Generation Certificate Information===========================================================================Root signer key hash: 59178a47 de508c3f 291277ee 184f46c4 f1d9c639Verify at Exchange Key Identifier: xferwrapping,kek-prod-eu-1Key Exchange Key Hash: ede3e33c d1ffda02 3bd1e319 f2bf156a b4b5e90d--------------------------------------------------------------KeyGenParams.type= RSAPrivate .params.flags= 0x0 .lenbits= 2048--------------------------------------------------------------ACLs on the key exchange key private blob:ACL.groups[0].flags= 0x0 .limits= empty .actions[0].type= OpPermissions .details.perms= UseAsBlobKey|GetACL .actions[1].type= MakeBlob .details.flags= AllowKmOnly|AllowNonKm0|kmhash_present .kmhash= b3fc319f b23c9db7 e9248c27 f5967550 da7ecce0--------------------------------------------------------------Details for key exchange key public blob loaded into the HSM:Cmd_GetKeyInfoEx_Reply.ver= 0 .flags= 0x0 .type= RSAPublic .length= 2048 .hash= ede3e33c d1ffda02 3bd1e319 f2bf156a b4b5e90d--------------------------------------------------------------******************Result: SUCCESS******************C:\Program Files\BYOK_TOOLSET>If the packages are successfully validated, the script should display “Result: SUCCESS."This script validates the signer chain up to the Thales root key. The hash of this root key is embedded in the script. Its value should be 59178a47 de508c3f 291277ee 184f46c4 f1d9c639. This same hash is also published on the Thales e-Security website.Preparing your key for upload to the your HSM-based vaultContinue to perform all steps in this section on your disconnected workstation.Creating a copy of your key with reduced permissionsTo reduce the permissions on your tenant key, proceed with the following steps:Open an elevated command prompt if needed and navigate to the folder where you’ve copied the BYOK toolset from the USB drive, for example C:\Program Files\BYOK_TOOLSET in our configuration.From the elevated command prompt, run the following command, replacing test with whatever you chose as your key identifier in Section?§ REF _Ref367373733 \h \* MERGEFORMAT Creating a new key. This utility reduces the permissions on the key. C:\> KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier test -ExchangeKeyPackage <KEK> -NewSecurityWorldPackage <SecurityWorldpackage>Where: <KEK> is the Key Exchange Key (KEK) package for your geographic region: BYOK-KEK-pkg-EU-1 for Europe.BYOK-KEK-pkg-NA-1 for the United States.BYOK-KEK-pkg-AP-1 for Asia-Pacific.Etc.<SecurityWorldpackage> is the Security World package for your geographic region: BYOK-SecurityWorld-pkg-EU-1 for Europe.BYOK-SecurityWorld-pkg-NA-1 for the United States.BYOK-SecurityWorld-pkg-AP-1 for Asia-Pacific.Etc.This correspond to the following command in our configuration:c:\Program Files\BYOK_TOOLSET>KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier test -ExchangeKeyPackage .\packages\BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage .\packages\BYOK-SecurityWorld-pkg-EU-1When the command runs, you will be asked to plug in your security world admin cards.C:\Program Files\BYOK_TOOLSET>KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier test -ExchangeKeyPackage .\BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage .\BYOK-SecurityWorld-pkg-EU-1****************User Information****************Machine Name: MININT-PN052N7User Name: AdministratorUser Domain: MININT-PN052N7Getting hashes for module keys...................................................................SUCCESS***********Module Keys***********KML Hash: 051bbbdf2f33cbc80c8297824ecfd4a0441d1b90KLF Hash: d0119786314c756f2e24bc79c9c6c33e3226f019KM Hash: 48795e6888a55b25ca9d1ef15eb52613be2deed5KMWK Hash: 1d572201be533ebc89f30fdd8f3fac6ca3395bf0Loading user key.................................................................................SUCCESSLoading user key's private blob..................................................................SUCCESS********User Key********Type: RSAPrivateLength: 2048Key Hash: 948563938e8de07fd7151a7157742e1ba42de3d5ACLs: .n_groups= 2 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 1 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle UseAsCertificate GetAppData ReduceACL Decrypt UseAsBlobKey Sign GetACL SignModuleCert 0x0000b52b .certifier absent .certmech absent .moduleserial absent .groups[ 1].flags= certifier_present FreshCerts 0x00000003 .n_limits= 0 .n_actions= 3 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ExportAsPlain GetAppData SetAppData ReduceACL ExpandACL GetACL 0x0000207d .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 AllowNullKmToken 0x00000023 .kmhash absent .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeArchiveBlob .details.makearchiveblob.flags= none 0x00000000 .mech= Any .kahash absent .blobfile absent .certifier= 20 bytes f618d3d2 d638ac34 4622f586 fdda03d2 4d5e1a48 .certmech absent .moduleserial absentLoading exchange key.............................................................................SUCCESS********************Exchange Key Package********************Exchange key application name: xferwrappingExchange key identifier: kek-prod-eu-1Exchange key hash: ede3e33cd1ffda023bd1e319f2bf156ab4b5e90dPublic key blob: System.Byte[]Generating module's ESN: 3E55-C8BD-46FCKey creation message: System.Byte[]Key creation signature: NCipher.MCipherTextModule state message: System.Byte[]Module state signature: NCipher.MCipherTextModule warrant: System.Byte[]Loading exchange key public blob.................................................................SUCCESS************Exchange Key************Type: RSAPublicLength: 2048Key Hash: ede3e33cd1ffda023bd1e319f2bf156ab4b5e90dACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 3 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ExportAsPlain GetAppData SetAppData ReduceACL ExpandACL Encrypt Verify UseAsBlobKey GetACL 0x000026fd .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 AllowNullKmToken 0x00000023 .kmhash absent .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeArchiveBlob .details.makearchiveblob.flags= none 0x00000000 .mech= Any .kahash absent .blobfile absent .certifier absent .certmech absent .moduleserial absentLoading security world package...................................................................SUCCESS**********************Security World Package**********************Security world key hash: b3fc319fb23c9db7e9248c27f5967550da7ecce0Generating module's ESN: B3C4-F264-3066Security world key creation message: System.Byte[]Security world key creation signature: NCipher.MCipherTextModule state message: System.Byte[]Module state signature: NCipher.MCipherTextModule warrant: System.Byte[]Insert Admin Card: Module 1 slot 0: empty Module 1 slot 0: Admin Card #3 Module 1 slot 0:- passphrase supplied - reading card Module 1 slot 0: Admin Card #3: already read Module 1 slot 0: empty Module 1 slot 0: Admin Card #1 Module 1 slot 0:- passphrase supplied - reading cardCard reading complete.Loading admin card set.....................................................................SUCCESS*******NSO Key*******Type: DSAPrivateLength: 1024Key Hash: f618d3d2d638ac344622f586fdda03d24d5e1a48ACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 1 .limits[ 0].type= Time .details.time.seconds= 0x00000258 600 .n_actions= 2 .actions[ 0].type= OpPermissions .details.oppermissions.perms= UseAsCertificate ReduceACL GetACL 0x00002022 .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowNonKm0 ktparams_present AllowNullKmToken 0x00000032 .kmhash absent .kthash absent .ktparams.flags= none 0x00000000 .sharesneeded= 0x00000000 0 .sharestotal= 0x00000000 0 .timelimit= 0x00000000 0 .blobfile absent .certifier absent .certmech absent .moduleserial absentModifying ACLs on private key..............................................................SUCCESS********User Key********Type: RSAPrivateLength: 2048Key Hash: 948563938e8de07fd7151a7157742e1ba42de3d5ACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 4 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ReduceACL Decrypt Sign GetACL 0x00003121 .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 kmhash_present AllowNullKmToken 0x00000027 .kmhash= 20 bytes 48795e68 88a55b25 ca9d1ef1 5eb52613 be2deed5 .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 kmhash_present AllowNullKmToken 0x00000027 .kmhash= 20 bytes b3fc319f b23c9db7 e9248c27 f5967550 da7ecce0 .kthash absent .ktparams absent .blobfile absent .actions[ 3].type= MakeArchiveBlob .details.makearchiveblob.flags= kahash_present 0x00000001 .mech= BlobCryptv2kRSAeRijndaelCBC0hSHA256mSHA256HMAC .kahash= 20 bytes ede3e33c d1ffda02 3bd1e319 f2bf156a b4b5e90d .blobfile absent .certifier absent .certmech absent .moduleserial absentMaking new private key blob................................................................SUCCESSRemoving recovery key blob.................................................................SUCCESSSaving modified key as C:\ProgramData\nCipher\Key Management Data\local\key_xferacld_test...SUCCESSSaving logfile as C:\Program Files\BYOK_TOOLSET\ModifyAcls-key_xferacld_test.log...........SUCCESS****************User Information****************Machine Name: 20012-EDGEHSMUser Name: AdministratorUser Domain: 20012-EDGEHSMGetting hashes for module keys...........................SUCCESS***********Module Keys***********KML Hash: 7143e6df0470577c253d8a96dcec8fe2b3da17e6KLF Hash: ace6aa4fec202ca5069369c3825aac0fbcd98ef6KM Hash: c0021bc96667ccdc0e96f4f3d4e6525b95e34f29KMWK Hash: 1d572201be533ebc89f30fdd8f3fac6ca3395bf0Loading user key.........................................SUCCESSLoading user key's private blob..........................SUCCESS********User Key********Type: RSAPrivateLength: 2048Key Hash: e2f23fdce7e51ff326bc4d898e5b160da8286e11ACLs: .n_groups= 2 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 1 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle UseAsCertificate GetAppData ReduceACL Decrypt UseAsBlobKey Sign GetACL SignModuleCert 0x0000b52b .certifier absent .certmech absent .moduleserial absent .groups[ 1].flags= certifier_present FreshCerts 0x00000003 .n_limits= 0 .n_actions= 3 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ExportAsPlain GetAppData SetAppData ReduceACL ExpandACL GetACL 0x0000207d .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 AllowNullKmToken 0x00000023 .kmhash absent .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeArchiveBlob .details.makearchiveblob.flags= none 0x00000000 .mech= Any .kahash absent .blobfile absent .certifier= 20 bytes a3cfb7d8 006a6f18 aa482258 8706b034 28404271 .certmech absent .moduleserial absentLoading exchange key.....................................SUCCESS********************Exchange Key Package********************Exchange key application name: xferwrappingExchange key identifier: kek-prod-eu-1Exchange key hash: ede3e33cd1ffda023bd1e319f2bf156ab4b5e90dPublic key blob: System.Byte[]Generating module's ESN: 3E55-C8BD-46FCKey creation message: System.Byte[]Key creation signature: NCipher.MCipherTextModule state message: System.Byte[]Module state signature: NCipher.MCipherTextModule warrant: System.Byte[]Loading exchange key public blob.........................SUCCESS************Exchange Key************Type: RSAPublic Length: 2048Key Hash: ede3e33cd1ffda023bd1e319f2bf156ab4b5e90dACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 3 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ExportAsPlain GetAppData SetAppData ReduceACL ExpandACL Encrypt Verify UseAsBlobKey GetACL 0x000026fd .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 AllowNullKmToken 0x00000023 .kmhash absent .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeArchiveBlob .details.makearchiveblob.flags= none 0x00000000 .mech= Any .kahash absent .blobfile absent .certifier absent .certmech absent .moduleserial absentLoading exchange key.....................................SUCCESS**********************Security World Package**********************Security world key hash: b3fc319fb23c9db7e9248c27f5967550da7ecce0Generating module's ESN: B3C4-F264-3066Security world key creation message: System.Byte[]Security world key creation signature: NCipher.MCipherTextModule state message: System.Byte[]Module state signature: NCipher.MCipherTextModule warrant: System.Byte[]Insert Admin Card: Module 1 slot 0: empty Module 1 slot 0: Admin Card #3 Module 1 slot 0:- passphrase supplied - reading card Module 1 slot 0: Admin Card #3: already read Module 1 slot 0: empty Module 1 slot 0: Admin Card #2 Module 1 slot 0:- passphrase supplied - reading cardCard reading complete.Loading admin card set...................................SUCCESS*******NSO Key*******Type: DSAPrivateLength: 1024Key Hash: a3cfb7d8006a6f18aa4822588706b03428404271ACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 1 .limits[ 0].type= Time .details.time.seconds= 0x00000258 600 .n_actions= 2 .actions[ 0].type= OpPermissions .details.oppermissions.perms= UseAsCertificate ReduceACL GetACL 0x00002022 .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowNonKm0ktparams_present AllowNullKmToken 0x00000032 .kmhash absent .kthash absent .ktparams.flags= none 0x00000000 .sharesneeded= 0x00000000 0 .sharestotal= 0x00000000 0 .timelimit= 0x00000000 0 .blobfile absent .certifier absent .certmech absent .moduleserial absentModifying ACLs on private key............................SUCCESS********User Key********Type: RSAPrivateLength: 2048Key Hash: e2f23fdce7e51ff326bc4d898e5b160da8286e11ACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 4 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ReduceACL Decrypt Sign GetACL 0x00003121 .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 kmhash_present AllowNullKmToken 0x00000027 .kmhash= 20 bytes c0021bc9 6667ccdc 0e96f4f3 d4e6525b 95e34f29 .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 kmhash_present AllowNullKmToken 0x00000027 .kmhash= 20 bytes b3fc319f b23c9db7 e9248c27 f5967550 da7ecce0 .kthash absent .ktparams absent .blobfile absent .actions[ 3].type= MakeArchiveBlob .details.makearchiveblob.flags= kahash_present 0x00000001 .mech= BlobCryptv2kRSAeRijndaelCBC0hSHA256mSHA256HMAC .kahash= 20 bytes ede3e33c d1ffda02 3bd1e319 f2bf156a b4b5e90d .blobfile absent .certifier absent .certmech absent .moduleserial absentMaking new private key blob..............................SUCCESSRemoving recovery key blob...............................SUCCESSSaving modified key as C:\ProgramData\nCipher\Key Management Data\local\key_xferacld_test......................................SUCCESSSaving logfile as c:\Program Files\BYOK_TOOLSET\ModifyAcls-key_xferacld_test.log...............................................SUCCESSResult: SUCCESSc:\Program Files\BYOK_TOOLSET>When the command completes, you will see "Result: SUCCESS". This will create in your %NFAST_KMDATA%\local folder a copy of your tenant key with reduced permissions in a file named key_xferacId_test, replacing test at the end of the filename with whatever you chose as your key identifier in Section?§ REF _Ref367373733 \h \* MERGEFORMAT Creating a new key.Inspecting the new copy of the keyThis step is optional. You can now run the Thales utilities aclprint.py and kmfile-dump.exe to inspect that the new key has no more permissions than you want to give Microsoft and consequently to confirm the minimal permissions on your tenant key.Proceed with the following steps:From the above command prompt, run the following command with the Thales utility aclprint.py, replacing test with whatever you chose as your key identifier in Section?§ REF _Ref367373733 \h \* MERGEFORMAT Creating a new key.c:\Program Files\BYOK_TOOLSET>"%nfast_home%\bin\preload.exe" -m 1 -A xferacld -K test "%nfast_home%\python\bin\python" "%nfast_home%\python\examples\aclprint.py"C:\Program Files\BYOK_TOOLSET>"%nfast_home%\bin\preload.exe" -m 1 -A xferacld -K test "%nfast_home%\python\bin\python" "%nfast_home%\python\examples\aclprint.py"Stored Unsure -- multiple objects on module #1Loaded xferacld test key (RSAPrivate) on modules 1Executing C:\Program Files (x86)\nCipher\nfast\python\bin\python C:\Program Files (x86)\nCipher\nfast\python\examples\aclprint.pyUnsure -- multiple objectsacl.groups[0].flags= 0x0 .actions[0].type= OpPermissions .details.perms= DuplicateHandle|ReduceACL|Decrypt|Sign|GetACL .actions[1].type= MakeBlob .details.flags= AllowKmOnly|AllowNonKm0|kmhash_present|AllowNullKmToken .kmhash= Admin key: km (4879...) .actions[2].type= MakeBlob .details.flags= AllowKmOnly|AllowNonKm0|kmhash_present|AllowNullKmToken .kmhash= b3fc319f b23c9db7 e9248c27 f5967550 da7ecce0 .actions[3].type= MakeArchiveBlob .details.flags= kahash_present .mech= BlobCryptv2kRSAeRijndaelCBC0hSHA256mSHA256HMAC .kahash= ede3e33c d1ffda02 3bd1e319 f2bf156a b4b5e90dc:\Program Files\BYOK_TOOLSET>NoteYou should refer to the Thales user guide for how to interpret the output. From the above command prompt, run the following command with the Thales utility kmfile-dump.exe, replacing test in key_xferacId_test with whatever you chose as your key identifier in Section?§ REF _Ref367373733 \h \* MERGEFORMAT Creating a new key.c:\Program Files\BYOK_TOOLSET>"%nfast_home%\bin\kmfile-dump.exe" "%NFAST_KMDATA%\local\key_xferacld_test"C:\Program Files\BYOK_TOOLSET>"%nfast_home%\bin\kmfile-dump.exe" "%NFAST_KMDATA%\local\key_xferacld_test"C:\ProgramData\nCipher\Key Management Data\local\key_xferacld_test AppName xferacld Ident test Name test HashKA 948563938e8de07fd7151a7157742e1ba42de3d5 BlobKA Blob format = Module Module key = KM_sw [48795e6888a55b25ca9d1ef15eb52613be2deed5] BlobPubKA Blob format = Module Module key = KM_wk [1d572201be533ebc89f30fdd8f3fac6ca3395bf0] CertGenKA DSA 6c62081bce9d01e0ac8749ac8629ffdccacbcbd9 36e78f7bdaca4716c8d7b5bccce830651c527e23 MesgGenKA 00000000 : 02000000 00000000 02000000 00000000 : ................ 00000010 : 00080000 04000000 00000000 00000000 : ................ 00000020 : 01000000 01000000 2bb50000 00000000 : ........+....... 00000030 : 01000000 01000000 eb148164 d05c4cd4 : ...........d.\L. 00000040 : cece628d a126ae81 b578e323 01000000 : ..b..&...x.#.... 00000050 : 01000000 02000000 07000000 48795e68 : ............Hy^h 00000060 : 88a55b25 ca9d1ef1 5eb52613 be2deed5 : ..[%....^.&..-.. 00000070 : 03000000 00000000 03000000 01000000 : ................ 00000080 : 7d200000 02000000 23000000 03000000 : } ......#....... 00000090 : 00000000 00000000 f618d3d2 d638ac34 : .............8.4 000000a0 : 4622f586 fdda03d2 4d5e1a48 00000000 : F"......M^.H.... 000000b0 : 01000000 01000000 591a37cb 7ba4a4cd : ........Y.7.{... 000000c0 : fb42ee74 ca2ed8e9 31467559 01000000 : .B.t....1FuY.... 000000d0 : 01000000 03000000 01000000 98000000 : ................ 000000e0 : fe2eff36 f834f92f 9ab63c3d a536c900 : ...6.4./..<=.6.. 000000f0 : 300b3b33 94856393 8e8de07f d7151a71 : 0.;3..c........q 00000100 : 57742e1b a42de3d5 ******** ******** : Wt...-..******** ESNGen EA67-52ED-38F9 BlobPubKML Blob format = Module Module key = KM_wk [1d572201be533ebc89f30fdd8f3fac6ca3395bf0] CertKMLaESN DSA 39aabf26b9fc99e8a4e7e788fa0516b1542a3c1d 28a9c8b75d98fa781cfe2599f2f6b7ea0eb587b6 CertModuleState DSA a13a3fd110d01e70920f3746f3839899e1024d5c 2e5540d174e33d8b22c2dd470b3b1d37963193e9 MesgModuleState 00000000 : 04000000 00000000 04000000 02000000 : ................ 00000010 : 0f000000 45413637 2d353245 442d3338 : ....EA67-52ED-38 00000020 : 46390000 03000000 051bbbdf 2f33cbc8 : F9........../3.. 00000030 : 0c829782 4ecfd4a0 441d1b90 03000000 : ....N...D....... 00000040 : 80000000 0b86a077 7eb4c40f 9540f47c : .......w~....@.| 00000050 : 0bad776e e6a14ae2 b07efee1 1706a521 : ..wn..J..~.....! 00000060 : e9db692e 8ad5fa61 5738e855 986ada1c : ..i....aW8.U.j.. 00000070 : 604810e0 2ea75007 7b7e5532 f1063748 : `H....P.{~U2..7H 00000080 : 5be854ed f9903688 8ca3ad35 17518aee : [.T...6....5.Q.. 00000090 : d601b6c1 d6a89336 b957f1e9 e0b87868 : .......6.W....xh 000000a0 : 68c0a081 733a07e6 e6b3e351 58fff58c : h...s:.....QX... 000000b0 : 5fc3f903 60533897 7aaeffc2 c7fe132b : _...`S8.z......+ 000000c0 : 97126ee5 14000000 b794ab05 f798695d : ..n...........i] 000000d0 : a7e6c6ad b8261b70 036fc6ba 80000000 : .....&.p.o...... 000000e0 : cf819d1b 15eafce5 20bc3ff7 0901318a : ........ .?...1. 000000f0 : 62ff5662 03d9950d 3051f50b 6a817077 : b.Vb....0Q..j.pw 00000100 : 3eb2e37f 7651ae8d 8643128e 88831c1c : >...vQ...C...... 00000110 : 26ad8f83 6ff6c965 9c72e0d7 e8a4af14 : &...o..e.r...... 00000120 : 394d0627 88aae424 f87afd19 f9b61325 : 9M.'...$.z.....% 00000130 : 7f0c4827 9aea3a92 fd0c65b1 0fd3c920 : ..H'..:...e.... 00000140 : b39cfd57 556f5425 3cc2b044 505e26f0 : ...WUoT%<..DP^&. 00000150 : fb0bfee7 b96287c1 c040d05f 6340f91a : .....b...@._c@.. 00000160 : 80000000 9aff3e2b 2639c848 3e9a4564 : ......>+&9.H>.Ed 00000170 : 65ff1072 1128732c 9b6dbeec 73754580 : e..r.(s,.m..suE. 00000180 : 4b569de6 70fee07f 50ca8375 3eda47f9 : KV..p...P..u>.G. 00000190 : 513e83f8 93a6c3e1 c4a81c5d 6b35e261 : Q>.........]k5.a 000001a0 : 4eddb1d4 cdb2e121 fda8458d 782d5e4b : N......!..E.x-^K 000001b0 : 2e038fe8 eecb78f6 e2212902 5846f806 : ......x..!).XF.. 000001c0 : 85d686bb 70f7cda9 4dc04fc1 8eeed34c : ....p...M.O....L 000001d0 : df5eeb1c c97e57c7 90dd2cf7 e5d37b32 : .^...~W...,...{2 000001e0 : 48018a6e 0a000000 04000000 d0119786 : H..n............ 000001f0 : 314c756f 2e24bc79 c9c6c33e 3226f019 : 1Luo.$.y...>2&.. 00000200 : 03000000 80000000 0b86a077 7eb4c40f : ...........w~... 00000210 : 9540f47c 0bad776e e6a14ae2 b07efee1 : .@.|..wn..J..~.. 00000220 : 1706a521 e9db692e 8ad5fa61 5738e855 : ...!..i....aW8.U 00000230 : 986ada1c 604810e0 2ea75007 7b7e5532 : .j..`H....P.{~U2 00000240 : f1063748 5be854ed f9903688 8ca3ad35 : ..7H[.T...6....5 00000250 : 17518aee d601b6c1 d6a89336 b957f1e9 : .Q.........6.W.. 00000260 : e0b87868 68c0a081 733a07e6 e6b3e351 : ..xhh...s:.....Q 00000270 : 58fff58c 5fc3f903 60533897 7aaeffc2 : X..._...`S8.z... 00000280 : c7fe132b 97126ee5 14000000 b794ab05 : ...+..n......... 00000290 : f798695d a7e6c6ad b8261b70 036fc6ba : ..i].....&.p.o.. 000002a0 : 80000000 cf819d1b 15eafce5 20bc3ff7 : ............ .?. 000002b0 : 0901318a 62ff5662 03d9950d 3051f50b : ..1.b.Vb....0Q.. 000002c0 : 6a817077 3eb2e37f 7651ae8d 8643128e : j.pw>...vQ...C.. 000002d0 : 88831c1c 26ad8f83 6ff6c965 9c72e0d7 : ....&...o..e.r.. 000002e0 : e8a4af14 394d0627 88aae424 f87afd19 : ....9M.'...$.z.. 000002f0 : f9b61325 7f0c4827 9aea3a92 fd0c65b1 : ...%..H'..:...e. 00000300 : 0fd3c920 b39cfd57 556f5425 3cc2b044 : ... ...WUoT%<..D 00000310 : 505e26f0 fb0bfee7 b96287c1 c040d05f : P^&......b...@._ 00000320 : 6340f91a 80000000 6fb52b06 db3ab20a : c@......o.+..:.. 00000330 : 4d8b7a08 6c97bdcb f29a2518 4848bef8 : M.z.l.....%.HH.. 00000340 : dd71c645 adc6d5ca b9807371 d1d07424 : .q.E......sq..t$ 00000350 : 79e21b20 fcd8c48d 6a9b4213 bcdac715 : y.. ....j.B..... 00000360 : 6ffa3c1c 5e49e25b 67f029e8 0d4e2bdf : o.<.^I.[g.)..N+. 00000370 : a89708ea c3c1c883 0754d124 c45a2199 : .........T.$.Z!. 00000380 : 0473382a 2888c7a0 850a28c5 18904c90 : .s8*(.....(...L. 00000390 : 874c3955 ff2fcdfa 48ef3f77 199a1ce8 : .L9U./..H.?w.... 000003a0 : cef7ed1f 69f8d42a 0a000000 06000000 : ....i..*........ 000003b0 : 03000000 e94eec6c 675437df 64f225a5 : .....N.lgT7.d.%. 000003c0 : b98ad77b 488d41ac 89000000 49000000 : ...{H.A.....I... 000003d0 : 1d572201 be533ebc 89f30fdd 8f3fac6c : .W"..S>......?.l 000003e0 : a3395bf0 84000000 25000000 48795e68 : .9[.....%...Hy^h 000003f0 : 88a55b25 ca9d1ef1 5eb52613 be2deed5 : ..[%....^.&..-.. 00000400 : 89000000 49000000 ******** ******** : ....I...********c:\Program Files\BYOK_TOOLSET>NoteYou should refer to the Thales user guide for how to interpret the output. Encrypting your key to Microsoft’s Key Exchange KeyProceed with the following steps:From the above command prompt, run the following command, replacing test with the identifier you used to generate the key in Section?§ REF _Ref367373733 \h \* MERGEFORMAT Creating a new key:c:\Program Files\BYOK_TOOLSET>KeyTransferRemote.exe -Package -KeyIdentifier testkey -ExchangeKeyPackage <KEK> -NewSecurityWorldPackage <SecurityWorldpackage> -SubscriptionID <GUID> -KeyFriendlyName <FirstKeyLabel>Where: <KEK> is the Key Exchange Key (KEK) package for your geographic region: BYOK-KEK-pkg-EU-1 for Europe.BYOK-KEK-pkg-NA-1 for the United States.BYOK-KEK-pkg-AP-1 for Asia-Pacific.Etc.<SecurityWorldpackage> is the Security World package for your geographic region: BYOK-SecurityWorld-pkg-EU-1 for Europe.BYOK-SecurityWorld-pkg-NA-1 for the United States.BYOK-SecurityWorld-pkg-AP-1 for Asia-Pacific.Etc.<GUID> is your Azure Active Directory subscription ID for example 8848a529-9d69-4049-8469-8218547a61e2 in our configuration.<FirstKeyLabel> with a label that will be used for your output file name (see below). This corresponds to the following command in our configuration:c:\Program Files\BYOK_TOOLSET>KeyTransferRemote.exe -Package -KeyIdentifier test ExchangeKeyPackage .\BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage .\BYOK-SecurityWorld-pkg-EU-1 -SubscriptionId 8848a529-9d69-4049-8469-8218547a61e2 -KeyFriendlyName TestFirstKeyC:\Program Files\BYOK_TOOLSET>KeyTransferRemote.exe -Package -KeyIdentifier test ExchangeKeyPackage .\BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage .\BYOK-SecurityWorld-pkg-EU-1 -SubscriptionId 8848a529-9d69-4049-8469-8218547a61e2 -KeyFriendlyName TestFirstKey****************User Information****************Machine Name: MININT-PN052N7User Name: AdministratorUser Domain: MININT-PN052N7Getting hashes for module keys...................................................................SUCCESS***********Module Keys***********KML Hash: 051bbbdf2f33cbc80c8297824ecfd4a0441d1b90KLF Hash: d0119786314c756f2e24bc79c9c6c33e3226f019KM Hash: 48795e6888a55b25ca9d1ef15eb52613be2deed5KMWK Hash: 1d572201be533ebc89f30fdd8f3fac6ca3395bf0Loading user key.................................................................................SUCCESSLoading user key's private blob..................................................................SUCCESS****************User Private Key****************Type: RSAPrivateLength: 2048Key Hash: 948563938e8de07fd7151a7157742e1ba42de3d5ACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 4 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ReduceACL Decrypt Sign GetACL 0x00003121 .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 kmhash_present AllowNullKmToken 0x00000027 .kmhash= 20 bytes 48795e68 88a55b25 ca9d1ef1 5eb52613 be2deed5 .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 kmhash_present AllowNullKmToken 0x00000027 .kmhash= 20 bytes b3fc319f b23c9db7 e9248c27 f5967550 da7ecce0 .kthash absent .ktparams absent .blobfile absent .actions[ 3].type= MakeArchiveBlob .details.makearchiveblob.flags= kahash_present 0x00000001 .mech= BlobCryptv2kRSAeRijndaelCBC0hSHA256mSHA256HMAC .kahash= 20 bytes ede3e33c d1ffda02 3bd1e319 f2bf156a b4b5e90d .blobfile absent .certifier absent .certmech absent .moduleserial absentLoading user key's public blob...................................................................SUCCESS***************User Public Key***************Type: RSAPublicLength: 2048Key Hash: 948563938e8de07fd7151a7157742e1ba42de3d5ACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 2 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ExportAsPlain GetAppData SetAppData ReduceACL ExpandACL Encrypt Verify UseAsBlobKey GetACL 0x000026fd .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 AllowNullKmToken 0x00000023 .kmhash absent .kthash absent .ktparams absent .blobfile absent .certifier absent .certmech absent .moduleserial absentExport public key................................................................................SUCCESSLoading exchange key.............................................................................SUCCESS********************Exchange Key Package********************Exchange key application name: xferwrappingExchange key identifier: kek-prod-eu-1Exchange key hash: ede3e33cd1ffda023bd1e319f2bf156ab4b5e90dPublic key blob: System.Byte[]Generating module's ESN: 3E55-C8BD-46FCKey creation message: System.Byte[]Key creation signature: NCipher.MCipherTextModule state message: System.Byte[]Module state signature: NCipher.MCipherTextModule warrant: System.Byte[]Loading exchange key public blob.................................................................SUCCESS************Exchange Key************Type: RSAPublicLength: 2048Key Hash: ede3e33cd1ffda023bd1e319f2bf156ab4b5e90dACLs: .n_groups= 1 .groups[ 0].flags= none 0x00000000 .n_limits= 0 .n_actions= 3 .actions[ 0].type= OpPermissions .details.oppermissions.perms= DuplicateHandle ExportAsPlain GetAppData SetAppData ReduceACL ExpandACL Encrypt Verify UseAsBlobKey GetACL 0x000026fd .actions[ 1].type= MakeBlob .details.makeblob.flags= AllowKmOnly AllowNonKm0 AllowNullKmToken 0x00000023 .kmhash absent .kthash absent .ktparams absent .blobfile absent .actions[ 2].type= MakeArchiveBlob .details.makearchiveblob.flags= none 0x00000000 .mech= Any .kahash absent .blobfile absent .certifier absent .certmech absent .moduleserial absentLoading security world package...................................................................SUCCESS**********************Security World Package**********************Security world key hash: b3fc319fb23c9db7e9248c27f5967550da7ecce0Generating module's ESN: B3C4-F264-3066Security world key creation message: System.Byte[]Security world key creation signature: NCipher.MCipherTextModule state message: System.Byte[]Module state signature: NCipher.MCipherTextModule warrant: System.Byte[]Making wrapped private key blob..................................................................SUCCESSRemoving recovery key blob.......................................................................SUCCESSCalculating key name.............................................................................SUCCESSSaving protected key as C:\ProgramData\nCipher\Key Management Data\local\key_xfer_028848a5299d69404984698218547a61e2f5b042b9c3a7dd9333e6a470d1ec2b57fb5c34ad...................................................SUCCESSSaving key transfer package as C:\Program Files\BYOK_TOOLSET\KeyTransferPackage-TestFirstKey.byok...SUCCESSSaving logfile as C:\Program Files\BYOK_TOOLSET\Package-key_xfer_test.log........................SUCCESSResult: SUCCESSc:\Program Files\BYOK_TOOLSET>When the command completes, you will see "Result: SUCCESS". This will create in the current folder a file called KeyTransferPackage-<FirstKeyLabel>.byok., for example KeyTransferPackage-TestFirstkey.byok in our configuration.Copying your key transfer packageCopy the output file KeyTransferPackage-<FirstKeyLabel>.byok from the previous step to your USB drive or other portable storage. Uploading your key to your HSM-based vaultPerform all steps in this section on your Internet-connected workstation.To upload the key package, proceed with the following steps:Plug your USB drive or other portable storage onto your Internet-connected workstation.Open an (elevated) Windows PowerShell command prompt, run the following commands to connect to your Azure Subscription, replacing Your_Vault_Name with your Vault Name identified in section § REF _Ref476648320 \h \* MERGEFORMAT Creating a new HSM-based Azure Key Vault and Key_Label_Name with the value specified in Section “Encrypting your key to Microsoft’s Key Exchange Key”:PS C:\> Add-AzureKeyVaultKey -VaultName 'Your_Vault_Name' -Name 'Key_Label_Name' -KeyFilePath 'Your_byok_File_path byok' -Destination 'HSM'This corresponds to the following command in our configuration:PS C:\> Add-AzureKeyVaultKey -VaultName 'Litware369KeyVaultHSM' -Name 'TestFirstKey' -KeyFilePath 'c:\KeyTransferPackage-TestFirstKey.byok' -Destination 'HSM'PS C:\> Add-AzureKeyVaultKey -VaultName 'Litware369KeyVaultHSM' -Name 'TestFirstKey' -KeyFilePath 'c:\KeyTransferPackage-TestFirstKey.byok' -Destination 'HSM'Attributes : Microsoft.mands.KeyVault.Models.KeyAttributesKey : {"kid":" 947dd9e5fc1c3ff0d9937","kty":"RSA-HSM","key_ops":["encrypt","decrypt","sign","verif y","wrapKey","unwrapKey"],"n":"uDD5jKpy-x2Vg4YsyNaOfkNrPGmReX3Oz1Tn7EqQJiMZBHZxhyhk 9dBzl6GnAbvFmRFe1IMayEA2KPz_1f_F21CsiGKAF40YTz2c_fSi2_-K1n8ytXgqA1HWAhv4Y7pgQWolvXA L-MIorL-cHfLonuw3EKhCz3J6M-hQ8d_g3lFy1Al0GSRqbh6OLepwL8UEPkDrBE-sPlrUqxt3KW4iiaQ9CR c-92vTWuC50QC_WpFkVxrA6bPTGtE0C_GE27GVupmgcbw1eu6TYYI-iW7v9FYrrFuwCSFOAP_b-vxF7oEo5 h_fo2veDDkfsgu1uy8MYaZyRuU09QYhPe42iXw0lw","e":"AAEAAQ","d":null,"dp":null,"dq":nul l,"qi":null,"p":null,"q":null,"k":null,"key_hsm":null}VaultName : litware369keyvaulthsmName : TestFirstKeyVersion : 3e4a78cd9fb947dd9e5fc1c3ff0d9937Id : d9e5fc1c3ff0d9937c:\Program Files\BYOK_TOOLSET>You can now use this HSM-protected key in your managed key vault. After successfully importing the key into the HSM in Azure Key Vault, copy URL ID for use with the supported service in Office 365 and Azure. See section § REF _Ref476648461 \h \* MERGEFORMAT Using your imported key with Office 365 and Azure service.View the HSM-protected key from the Azure portalWith the Key Vault user interface in the Azure portal, you can browse existing vaults, create new vaults, set access policies and other attributes, create/edit tags for your key vaults, create and update keys and secrets, view current and older versions of your keys and edit attributes. All your existing managed vaults in Azure Key Vault should automatically show up when you browse resources from the Azure portal. To view the existing HSM-protected key we have just imported, proceed with the following steps:Open a browsing session and navigate to the Azure portal at in to the Azure portal as the subscription admin user. This is for instance the same Microsoft Account that you used to sign up for Azure as per previous section.From All Resources search for your Key Vaults, for example Litware369KeyVaultHSM in our illustration, and open it:Under Overview, select Keys to open the Keys container references.Under Keys, you can see the HSM-protected Key friendly name: TestFirstKey (see section §? REF _Ref476744901 \h \* MERGEFORMAT Uploading your key to your HSM-based vault).Click on it.You can now see the older version and the status. Click on it to open this version.From this window you can see the HSM-protected key references. Note the Key Type= RSA-HSM and URL Key Identifier that can be used with Office 365 and Azure cloud service.Close all windows from the Azure portal.Using your imported key with Office 365 and Azure serviceFollowing sections illustrate in a non-exhaustive manner a situation where you can benefit from the BYOK capability of Azure Key Vault. For that purpose, Azure Information Protection is taken as an example.Tenant key with Azure Information ProtectionRegulatory requirements occasionally mandate that customers must have complete control of the encryption keys used in Azure Information Protection. Other times customers simply prefer to maintain control over their secrets and are not prepared to allow Microsoft to control the management of these sensitive objects. Fulfilling Azure Information Protection prerequisites To use keys stored in HSMs in Azure Key Vault, you must have Azure Information Protection Premium P1 licenses. Installing Azure Rights Management (or AIP) administration module for Windows PowerShellThe Windows Azure AD Rights Management Administration tool (that can be used for Azure Information Protection) contains the Windows Azure Rights Management (administration module for Windows PowerShell, a set of Windows PowerShell cmdlets that provide administrative (advanced) capabilities for the Azure Information Protection service. You will need these cmdlets on an on-going basis to manage your Azure Information Protection service’s tenant, so this is a good time to get this done with.NoteEven if you have installed the Windows Azure AD Rights Management Administration Tool before, please upgrade to the latest version as it includes new cmdlets that we will need for this procedure. For additional information and instructions, see the Microsoft TechNet Article Installing Windows PowerShell for Azure Rights Management.Prior installing this tool, you must have Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0 installed.NoteThe Microsoft Online Services Sign-In Assistant (MOS SIA) 7.0 provides sign-in capabilities to the Azure Information Protection service. The MOS SIA is indeed used to authenticate users to the service through a set of dynamic link library files (DLLs) and a Windows service as described in the community article Description of Microsoft Online Services Sign-In Assistant (MOS SIA).To install the Microsoft Online Sign-In Assistant (MOS SIA) 7.0, proceed with the following steps:Open a browsing session and navigate to the following link Microsoft Online Services Sign-In Assistant for IT Professionals RTW and click Download.In the Choose the download you want page, select the appropriate version x64 or x86 (msoidcli_64bit.msi or msoidcli_32bit.msi) regarding the workstation configuration and save it locally.Double-click the downloaded file. The Microsoft Online Services Sign-in Assistant Setup wizard opens.On the license terms page, select I accept the terms in the License Agreement and Privacy Statement and click Install. A User Account Control dialog pops up.In the User Account Control dialog, click Yes to execute the setup.On the completion page, click Finish.To now install the Azure AD Rights Management admin cmdlets (AADRM PowerShell module), proceed with the following steps:Open an admin PowerShell command and run:PS> Save-Module -Name AADRM -Path <path> All details available from the following link: PowerShell Gallery.Install the AADTM module by executing the following command:PS> Install-Module -Name AADRMThe cmdlets of the Microsoft Rights Management administration module for Windows PowerShell will be used in the next section for getting the current configuration of the Azure Information Protection service.Configuring Azure Information Protection to use the HSM-based key We will configure the Azure Key Vault to allow Azure Information Protection to access the Key. Finally, we will associate the HSM stored key with Azure Information Protection. To configure Azure Information Protection to use the HSM-based key that you previously imported into the vault thanks to the BYOK procedure, you must provide Azure Information Protection with an access to that key, and then to associate the key with Azure Information Protection. Proceed with the following steps:Open an elevated Windows PowerShell or PowerShell Integrated Scripting Environment (ISE) prompt.Run the following command to log into the Aadrm Service:PS C:\> Connect-AadrmServiceRun the following command to set the access policy to the vault:PS C:\> Set-AzureRmKeyVaultAccessPolicy -VaultName 'Litware369KeyVaultHSM' -ServicePrincipalName 00000012-0000-0000-c000-000000000000 -PermissionsToKeys decrypt,encrypt,unwrapkey,wrapkey,verify,sign,getNoteThe ServicePrincipalName referenced in the above command is the Azure Information Protection service.Run the following command to get the details of the HSM-based key:PS C:\> Get-AzureKeyVaultKey -VaultName 'Litware369KeyVaultHSM'-Name 'Litware369FirstHSMKey'This will return the details of the imported key from your HSM on-premises. <INSERT cmdlet output>Copy the Id field for use in the next command. The Id field should be in the following format: the following command:PS C:\> Use-AadrmKeyVaultKey -KeyVaultKeyUrl " aaaabbbbccccdddd1111222233334444"Enabling and using your Azure Information Protection service tenantThis section applies whether you let Microsoft generate your key (the default) or you generated and transferred your key to the Azure Information Protection service (over the Internet or in person). After you have transferred your key (over the Internet or in person), you must enable Azure Information Protection service. You can do this by using one of the following options.Enabling your Azure Information Protection service tenant from the Office 365 admin center.-or-Enabling your Azure Information Protection service tenant for the classic Azure Portal.Option 1 - Activating your service tenant from the Office 365 admin centerTo do this, proceed with the following steps:From an online workstation, navigate to the Azure Information Protection service administration portal such as the Office 365 admin center at and login and login with your administrative credentials. In the left pane of the administration portal, click Service Settings.From the Service Settings page, click Rights Management.Under Protect your information, click Manage.Under Rights Management, click Activate. You will get a popup.When prompted Do you want to activate rights management?, click Activate to confirm you want to activate. Once the Azure Information Protection service is successfully activated you will see the following:Option 2 - Activating the service tenant for the Azure PortalThis option can be used if you have signed up for the Rights Management stand-alone service.To activate the service tenant, proceed with the following steps:From an online workstation, navigate to the classic Azure portal at and login with your administrative credentials. In the left pane of the management portal, click ACTIVE DIRECTORY.From the active directory page, click RIGHTS MANAGEMENT.Select the name of your directory to manage, click ACTIVATE at the bottom, and then confirm your action.NoteIf you see an activation error, it might be because your service plan or product version cannot support Rights Management. Use the information in the Cloud subscriptions that support Azure RMS section in the Requirements for Azure Information Protection topic to confirm AIP support. For help with this issue, send an email message to askipteam.The RIGHTS MANAGEMENT STATUS should now display Active and the ACTIVATE option is replaced with DEACTIVATE.After enabling the service tenant, you can now configure your Exchange servers, SharePoint servers, and your users’ devices to point to this Azure Information Protection service’s tenant and start using it.Getting usage logs for your keyYou can configure the Azure Key Vault service to monitor when and how your key vault assigned to the Azure Information Protection service is accessed and by whom.When Key Vault logging is activated, logs will be stored in an Azure storage account that you provide. A new container named insights-logs-auditevent is automatically created for your specified storage account, and you can use this same storage account for collecting logs for multiple key vaults.Here is the kind of information you can find logged:All authenticated REST API requests are logged, which includes failed requests as a result of access permissions, system errors or bad requests.Operations on the key vault itself, which includes creation, deletion, setting key vault access policies, and updating key vault attributes such as tags.Operations on keys and secrets in the key vault, which includes creating, modifying, or deleting these keys or secrets; operations such as sign, verify, encrypt, decrypt, wrap and unwrap keys, get secrets, list keys and secrets and their versions.Unauthenticated requests that result in a 401 response. For example, requests that do not have a bearer token, or are malformed or expired, or have an invalid token.This information is very useful to detect abnormal situations such as a spike of failed attempts to use the key during off hours (insider trying to reach sensitive documents) or if an illegitimate user attempts to read the AIP Key…. This can also be useful for performing forensics analysis when there is an information leak.This feature is available to you whether you let Microsoft generate your key (the default) or you bring your own key (BYOK). To turn on logging and get these logs, follow the instructions outlined in the article Azure Key Vault Logging.The logs you receive from the Azure Key Vault will contain every transaction performed with your tenant key. NoteFor more information, see article Logging and analyzing usage of the Azure Rights Management service and/or whitepaper Get Usage Logs from Azure RMS.Revoking your keyWhen you unsubscribe from the Azure Information Protection service, you can revoke your tenant key in the configured managed key vault in Azure Key Vault. So, the Azure Information Protection service will stop using your key.We do not recommend deleting the key, as it will also delete all associated metadata used by cloud services for data encryption; deleting and re-importing the key will not revoke and give again the access to encrypted data handling by cloud services.Keep in mind that even a compromised key can be needed to decrypt old encrypted content that will be re-encrypt with a new key.NoteFor more information, see article Operations for your Azure Information Protection tenant key.Rolling your key (re-key)We discourage rolling keys unless really necessary. Older clients, notably Office 2010, were not designed to handle key changes gracefully. You must have users of such clients explicitly clear their Rights Management state via GPO (Group Policy Object) or equivalent mechanisms.That said, there are some legitimate events that may force you to roll your key e.g.:Your company split. When you roll your key, the spun-off company will not have access to new content that your employees publish. They can in theory access the old content if they have a copy of the old key.You believe the master copy of your key (the copy in your possession) was compromised.With the Bring-Your-On-Key (BOYK) scenario, you roll your key by repeating the steps in Section § REF _Ref371427324 \h \* MERGEFORMAT Bringing your key to Microsoft.When you roll your key, new content gets protected to the new key. This happens in a phased manner, so for a period of time, some new content will continue to be protected with the old key. Previously protected content stays protected to your old key. Azure Information Protection service retains your old key reference so that it can issue licenses for such old content.NoteFor more information, see article Operations for your Azure Information Protection tenant key.Backing up and recovering your keyIf you let Microsoft generate your key (the default), then Microsoft is responsible for backing up your key.If you bring in your own key, then you are responsible for backing up the key. If you generated your key in a Thales HSM per Section § REF _Ref367373733 \h \* MERGEFORMAT Creating a new key, then to back up the key, just back up the Tokenized Key file, the World file, and the Administrator Cards. MicrosoftAfter the Tokenized Key file is imported into the HSM in Azure Key Vault, Microsoft cannot export this key back to you so it’s extremely important that you back up your key and security world safely. Contact Thales for guidance and best practices for backing up your key.NoteFor more information, see article Operations for your Azure Information Protection tenant key.Exporting your keyIf you bring in your own key, you CANNOT export your key from your HSM-based key vault in Azure Key Vault. The Azure Key Vault service’s copy is non-recoverable. Responding to a breachNo security system, no matter how strong, is complete without a breach response process. This document focusses solely on breach of your root key. This may happen with your (master) copy of your key, or from Microsoft’s possession. Or over the years, vulnerabilities may be found in current generation HSM technology or current key lengths/algorithms. Microsoft has a dedicated team to respond to security incidents in our products and services. As soon as there is a credible report of an incident, this team engages to investigate the scope, root cause, and mitigations. If this incident affects your assets, then we will notify your Azure Information Protection service tenant administrators by email at the address you supplied when you subscribed. The best subsequent action for Microsoft and for you depends on the scope of the breach; Microsoft will work with you through this process. Below are some situations, and the likely response.Incident descriptionLikely response. (Exact response depends on all the information revealed during the investigation.)Your root key is leakedRoll your key per Section § REF _Ref371427569 \h \* MERGEFORMAT Rolling your key (re-key) aboveAn unauthorized individual or malware got rights to use your key (but the key itself did not leak)Rolling key does not help here. This needs to be root-caused. If a process or software bug caused the unauthorized individual to get access then that hole needs to be patched.Vulnerability discovered in current-generation HSM technology.Microsoft must update HSMs. If there is reason to believe that the vulnerability exposed keys, then we must have all customers roll their keys.Vulnerability discovered in RSA algorithm, or key length, or brute-force attacks become computationally feasibleMicrosoft must update the Azure Information Protection service system to support new algorithms and/or longer key lengths that are resilient, and have all customers roll their keys.The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This white paper is for informational purposes only. Microsoft makes no warranties, express or implied, in this plying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.? 2018 Microsoft Corporation. All rights reserved.The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft, list Microsoft trademarks used in your white paper alphabetically are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download