Azure Managed HSM

This tutorial uses Microsoft Azure’s Managed HSM ↗ — a FIPS 140-2 Level 3 certified implementation — to deploy a VM with the Keyless SSL daemon.

---

Before you start

Make sure you have:

• Followed Microsoft’s tutorial ↗ for provisioning and activating the managed HSM
• Set up a VM for your key server

---

1. Create a VM

Create a VM where you will deploy the keyless daemon.

---

2. Deploy the keyless server

Follow these instructions to deploy your keyless server.

---

3. Set up the Azure CLI

Set up the Azure CLI (used to access the private key).

For example, if you were using macOS:

brew install azure-cli

---

4. Set up the Managed HSM

1. Log in through the Azure CLI and create a resource group for the Managed HSM in one of the supported regions:

   az login
   az group create --name HSMgroup --location southcentralus

   Note

   For a list of supported regions, see the Microsoft documentation ↗.

2. Create, provision, and activate ↗ the HSM.

3. Add your private key to the keyvault, which returns the URI you need for Step 4:

   az keyvault key import --hsm-name "KeylessHSM" --name "hsm-pub-keyless" --pem-file server.key

4. If the key server is running in an Azure VM in the same account, use Managed services for authorization:

   1. Enable managed services on the VM in the UI.

   2. Give your service user (associated with your VM) HSM sign permissions

      az keyvault role assignment create  --hsm-name KeylessHSM --assignee $(az vm identity show --name "hsmtestvm" --resource-group "HSMgroup" --query principalId -o tsv) --scope / --role "Managed HSM Crypto User"

5. In the gokeyless YAML file, add the URI from Step 2 under private_key_stores. See our README ↗ for an example.

5. Restart gokeyless

Once you save the config file, restart gokeyless and verify that it started successfully:

sudo systemctl restart gokeyless.service
sudo systemctl status gokeyless.service -l