- Platform overview
- Platform overview (Video)
- Multi-cloud overview
- Edge Network and hub comparison
- Platform tutorials
- A customer experience powered by Platform (Video)
- Behind the scenes of a customer experience powered by Platform (Video)
- Getting started
- Experience Platform UI
- Experience Platform APIs
- Platform documentation
- Applications built on Platform
- Governance, privacy, and security
- License usage and guardrails
- Troubleshooting guide
- Gen2 data lake migration
- Glossary
- Release notes
Configure an Azure Key Vault for Customer Managed Keys
Customer Managed Keys (CMK) support keys from both Microsoft Azure Key Vaults and AWS Key Management Service (KMS). If your implementation is hosted on Azure, follow the steps below to create a Key Vault. For AWS-hosted implementations, refer to the AWS KMS configuration guide.
Only the Standard, Premium, and Managed HSM tiers for Azure Key Vault are supported. Azure Dedicated HSM and Azure Payments HSM are not supported. Refer to the Azure documentation for more information on offered key management services.
The documentation below only covers the basic steps to create the Key Vault. Outside of this guidance, you should configure the Key Vault as per your organization’s policies.
Log in to the Azure portal and use the search bar to locate Key vaults under the list of services.
The Key vaults page appears after selecting the service. From here, select Create.
Using the provided form, fill in the basic details for the Key Vault, including a name and an assigned resource group.
While most options can be left as their default values, make sure that you enable the soft-delete and purge protection options. If you do not turn on these features, you could risk losing access to your data if the Key Vault is deleted.
From here, continue going through the Key Vault creation workflow and configure the different options according to your organization’s policies.
Once you arrive at the Review + create step, you can review the details of the Key Vault while it goes through validation. Once validation passes, select Create to complete the process.
Configure access
Next, enable Azure role-based access control for your key vault. Select Access configuration in the Settings section of the left navigation, then select Azure role-based access control to enable the setting. This step is essential as the CMK App must later be associated with an Azure role. Assigning a role is documented in both the API and UI workflows.
Configure networking options
If your Key Vault is configured to restrict public access to certain virtual networks or disable public access entirely, you must grant Microsoft a firewall exception.
Select Networking in the left navigation. Under Firewalls and virtual networks, select the checkbox Allow trusted Microsoft services to bypass this firewall, then select Apply.
Generate a key
Once you have created a Key Vault, you can generate a new key. Navigate to the Keys tab and select Generate/Import.
Use the provided form to provide a name for the key, and select either RSA or RSA-HSM for the key type. For Azure-hosted implementations, the RSA key size must be at least 3072 bits as required for Azure Cosmos DB. Azure Data Lake Storage is also compatible with RSA 3027.
Remember the name that you provide for the key, as it is required to send the key to Adobe.
Use the remaining controls to configure the key you want to generate or import as desired. When finished, select Create.
The configured key appears in the list of keys for the vault.
Next steps
To continue the one-time process for setting up the Customer Managed Keys feature, follow the setup guides for your platform’s hosting environment:
- For Azure, use the API or UI setup guides.
- For AWS, refer to the AWS configure KMS guide and the UI setup guide.
