question

Asad-7269 avatar image
0 Votes"
Asad-7269 asked YadavVipin-0237 commented

How to share a key from one azure keyvault under a subscription to another azure keyvault in another subscription

Hi,

We have one subscription in Azure cloud and we have setup Azure Keyvault. We can create keys there and use one of the key to encrypt disks of a virtual machine running in our subscription.

Our customer has their own Azure cloud subscription and for security and compliance purposes their requirement is that they must hold control of the key being used to encrypt disks of virtual machine in our subscription. For this we both have Azure keyvault with Premium tier and I was wondering if there is any guide which points out how to use Azure KeyVault HSM from Customer's subscription to create keys in to our subscription.

https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok

The above guide points out some of the vendors and how to use BYOK tool to transfer keys from HSM into Azure Keyvault.

We are looking for a way to use Azure KeyVault HSM from Customer's subscription to create keys in to our Azure Keyvault and which we can use to encrypt disks in our subscription.


Many thanks,

Asad

azure-key-vaultazure-disk-encryption
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Asad-7269
Thank you for your post!

To make sure I understand your issue, are you trying to only use one Key to encrypt a VM in multiple subscriptions/across tenants? For example, you'd bring your own Key from on-prem, store it in the Key Vault within one subscription, encrypt a VM, and then move that same key to another KV within a different subscription/tenant to encrypt another VM?


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·

Hi @JamesTran-MSFT : Thanks for your reply.

This scenario is for 2 different tenants (Subscription A in tenant ABC and Subscription B in tenant XYZ )

Here is the scenario.


ABC ( This will be running virtual Machine in their Azure cloud subscription for XYZ)


XYZ ( Wants that the virtual machine running in Azure cloud subscription in ABC must be encrypted by key provided by XYZ)


We have done some research and found out that Azure KeyVault BYOK can be used to import/bring keys in to ABC if XYZ has on-prem HSM solution from one of the vendors mentioned here.


https://docs.microsoft.com/en-gb/azure/key-vault/keys/hsm-protected-keys-byok#supported-hsms


In this case XYZ also have KeyVault HSM and would like send/share key created in their subscription with ABC so that ABC can use this shared or imported key to encrypt disks for virtual machine.

In AWS cloud you can allow a user in the cross account access to KMS key.


https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html


We are looking for something similar solution in Azure cloud.

0 Votes 0 ·

1 Answer

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered YadavVipin-0237 commented

@Asad-7269
Thank you for following up with this and for providing clarification on your specific scenario!

I reached out to our Encryption PG team and when it comes to the Azure Key Vault and Key/Secret sharing between different tenants or subscriptions to encrypt VMs, this currently isn't supported. As of right now, your key vault and VMs must be in the same subscription. Also, to ensure that encryption secrets don't cross regional boundaries, Azure Disk Encryption requires the Key Vault and the VMs to be co-located in the same region.

With the above pre-requisite, you'll have to create and use a Key Vault that is in the same subscription and region as the VMs to be encrypted. For more info.

Additional Links:
Azure Disk Encryption scenarios on Windows VMs
Create and configure a key vault for Azure Disk Encryption on a Windows VM
Azure Disk Encryption Unsupported scenarios


Since Key sharing isn't possible, I'd recommend leveraging our User Voice forum and creating a feature request, so our engineering team can look into implementing this. I'll also create an internal feature request, so our engineering team is aware of this as well.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

In Article it mentioned different tenant or regions are unsupported.

"To ensure that encryption secrets don't cross regional boundaries, you must create and use a key vault that is in the same region and tenant as the VMs to be encrypted."

There's no mentioned of different subscriptions in same tenant being unsupported.

0 Votes 0 ·