Azure Rights Management enables BYOK according to a model that Microsoft calls customer-managed tenant keys. This requires a customer to create an RSA 2048-bit key in their HSM and then export the key to the HSM in Microsoft's data center. This RSA key is then used to encrypt the document encryption keys used by Azure RMS. RSA 2048-bit keys correspond to 112-bit AES keys. This means that the AES 256-bit encryption provided by Azure RMS is really only 112 bits. The US government has advised against the use of AES encryption keys below 256 bits.
Overview about the necessary steps:
- Create an HSM-based Azure Key Vault for a specific Azure region.
- Generate your own key according to your IT policies. This requires e.g. Thales HSM, smartcards and support software.
- Transfer the key from an HSM in your possession to HSMs owned and managed by Microsoft as provided by Azure Key Vault for your vault. This process ensures that your key never leaves the hardware protection boundary.
- When you transfer your key to Microsoft, it remains protected by Thales HSMs. Microsoft has worked with Thales to ensure that the key cannot be recovered from Microsoft HSMs, and certificates are provided to ensure this.
- Configuring Azure Information Protection to use the HSM-based key
- Azure Key Vault's real-time usage protocols are available as an option. These can also be applied to BYOK to see exactly how and when the key is used with Azure Key Vault. Blob storage is required to store the logs.
BYOK vs. HYOK
The two scenarios and implementation differ fundamentally. HYOK is a kind of Azure RMS hybrid scenario. More details: https://docs.microsoft.com/de-de/azure/information-protection/faqs-rms#whats-the-difference-between-byok-and-hyok-and-when-should-i-use-them
Prerequisites, Restrictions & Limitations
- To use keys with AIP stored in HSMs in the Azure Key Vault, Azure Information Protection Premium P1 licenses are required. | https://azure.microsoft.com/en-us/pricing/details/information-protection/
- Premium tariff of Azure Key Vault to use an HSM-protected key | https://azure.microsoft.com/en-us/pricing/details/key-vault/ | Azure Key Vault is a hardware security module (HSM) provided as a service.
- BYOK goes with Office 2019, Office 2016 and Office 2013
- If you first used Azure Information Protection with a client key managed by Microsoft and now want to manage your client key yourself (BYOK), the previously protected documents and emails remain accessible via an archived key.
- Generation and transfer of HSM-protected keys for the Azure key safe | https://docs.microsoft.com/en-us/azure/key-vault/key-vault-hsm-protected-keys#prerequisites-for-byok
- (technical) requirements for BYOK: https://docs.microsoft.com/en-us/azure/information-protection/plan-implement-tenant-key#prerequisites-for-byok
- Your Azure Information Protection client must have an Azure subscription.
- You must have Azure Key Vault's premium to use an HSM-protected key.
- To use an HSM-protected key that you create locally:
- All requirements listed for Key Vault-BYOK:
- Azure subscription
- Azure Key Vault "Premium" service level to support HSM-protected keys
- nCipher nShield HSMs, smart cards and support software. For more information about nCipher nShield Hardware Security Module (HSM) support and how to use it with Azure Key Vault, visit the nCipher website and see: Bring Your Own Key (BYOK) with Azure Key Vault for Office 365 and Azure - Toolset
- Hardware and software requirements:
- An x64 workstation in offline mode with a minimum Windows 7 operating system and nCipher nShield software version 11.50 or higher.
- If this workstation is running Windows 7, you must install Microsoft .NET Framework 4.5.
- A workstation that is connected to the Internet, has a Windows 7 or later operating system, and has Azure PowerShell (version 1.1.0 or later) installed on it.
- A USB drive or other portable storage device with at least have 16 MB of free disk space.
- If the key safe that should contain your client key uses virtual network service endpoints for Azure Key Vault, allow trusted Microsoft services to bypass this firewall.
- The Azure Rights Management administration module for Windows PowerShell.
- Backup and restore of the client key: https://docs.microsoft.com/en-us/azure/information-protection/operations-customer-managed-tenant-key
Support and SLA
- Support for billing and subscription management is provided free of charge.
- Technical support is available through various Azure support models from €24.456/month for Developer and €84.33/month in the Standard version.
- SLA: Microsoft guarantees that in at least 99.9% of cases, Key Vault transaction requests will be processed within 5 seconds.
Call to Action
- Evaluate the actual advantages and disadvantages of BYOK in the context of your requirements and specifications in detail with the data protection officer and the involved departments.
- Calculate the costs for the implementation, the required services and hardware as well as the operating costs. Based on this, you create a cost-benefit analysis.
- Do you have other services that are already using BYOK with Azure?Did you use your own key for other scenarios and therefore want to implement AIP BYOK as well?
- Does HYOK meet your requirements better?