| pcx_content_type | title | weight |
|---|---|---|
tutorial |
Azure Managed HSM |
4 |
This tutorial uses Microsoft Azure’s Managed HSM — a FIPS 140-2 Level 3 certified implementation — to deploy a VM with the Keyless SSL daemon.
Make sure you have:
- Followed Microsoft's tutorial for provisioning and activating the managed HSM
- Set up a VM for your key server
Create a VM where you will deploy the keyless daemon.
Follow these instructions to deploy your keyless server.
Set up the Azure CLI (used to access the private key).
For example, if you were using macOS:
brew install azure-cli
-
Log in through the Azure CLI and create a resource group for the Managed HSM in one of the supported regions:
$ az login $ az group create --name HSMgroup --location southcentralus {{<Aside type="note" header="Note:">}}For a list of supported regions, see the Microsoft documentation. {{}}
-
Create, provision, and activate the HSM.
-
Add your private key to the
keyvault, which returns the URI you need for Step 4:$ az keyvault key import --hsm-name "KeylessHSM" --name "hsm-pub-keyless" --pem-file server.key -
If the key server is running in an Azure VM in the same account, use Managed services for authorization:
-
Enable managed services on the VM in the UI.
-
Give your service user (associated with your VM) HSM sign permissions
$ az keyvault role assignment create --hsm-name KeylessHSM --assignee $(az vm identity show --name "hsmtestvm" --resource-group "HSMgroup" --query principalId -o tsv) --scope / --role "Managed HSM Crypto User"
-
-
In the
gokeylessYAML file, add the URI from Step 2 underprivate_key_stores. See our README for an example.
Once you save the config file, restart gokeyless and verify that it started successfully:
$ sudo systemctl restart gokeyless.service
$ sudo systemctl status gokeyless.service -l