Integrate with Microsoft Azure Key Vault

Access Microsoft Azure Key Vault

Microsoft Azure Key Vault can be accessed in the Azure Portal or by using the Azure Command-Line Interface (CLI). Follow the Microsoft Azure documentation to ensure that you use the appropriate authentication, and are communicating with a genuine Azure Key Vault server.

This operation requires the use of Key Vault HSM keys which are currently only available using the Key Vault Premium SKU.

We recommend that you use the Microsoft BYOK guide when carrying out the Azure operations because they might have been updated after the publication of this User Guide for the Cloud Integration Option Pack. See

Generate the Azure Key Exchange Key

The Key Exchange Key (KEK) is an RSA key generated in a Key Vault HSM. The KEK is used to encrypt the key that you want to import, and must be:

  • An RSA-HSM key (2048-bit, 3072-bit or 4096-bit).

  • Generated in the same key vault where you intend to import the target key.

  • Created with allowed key operations set to import.

The KEK can be generated using the online portal or using the Azure CLI. For example:

az keyvault key create --kty RSA-HSM --size 4096 --name <KEK name> --ops import --vault-name <key vault>

Make a note of the resulting key identifier (kid) as you will need this value later. It is in the following form:

Download the Azure Key Exchange Key

Use the Azure CLI to download the KEK public key to a .pem file. For example:

az keyvault key download --name <KEK name> --vault-name <key vault> --file <download file>

Use cssadmin to generate, wrap and export a key

Using the downloaded KEK file, call cssadmin as follows:

cssadmin microsoft-azure <key name> <wrapping key> --azure-kek <azure kid> --key-type <key type>


wrapping key

The file you downloaded, for example KEKforBYOK.publickey.pem.

azure kid

The Key Identifier of the KEK, for example:

Optional and defaults to RSA 2048-bit if none is provided.

Note that, unlike with AWS and Google Compute Engine, no wrapping algorithm parameter is required with Microsoft Azure because it only supports one algorithm.

The following target key types are available:

RSA Keys

  • 2048-bit

  • 3072-bit

  • 4096-bit

Elliptic Curve Keys

  • NISTP256

  • NISTP384

  • NISTP521

  • SECP256K1

To maintain the security strength of the transferred target key, ensure that the security strength of the chosen KEK is greater than or equal to the security strength of the chosen target key. For example, for an Elliptic Curve key generated using NISP256, the KEK must be RSA 3072-bit or greater.

Running the cssadmin command creates a file called KeyTransferPackage-<key name>.byok.

Upload the wrapped key material

To import the target key into your Azure Key Vault, use the Azure CLI command to upload the BYOK file to the Key Vault HSM:

az keyvault key import --vault-name <vault name> --name <target key name> --byok-file <key transfer package>


key transfer package

The byok file produced in Use cssadmin to generate, wrap and export a key.

You can also do this step using the Azure Portal.

If the upload is successful, you can use this HSM-protected key in your key vault.