Azure KMS

To set up Akeyless KMS Integration with Azure KMS, follow these steps:

  1. Create a new Azure Target in the Akeyless Platfrom. You can do it either from the Akeyless CLI or in the Akeyless Console. Make sure you have an Azure Key Vault to target.



Remember to give the Azure Target the Key Vault Administrator permissions to manage the Azure Key Vault.

  1. Create a Classic Key in the Akeyless Platform. You can do it either from the Akeyless CLI or in the Akeyless console. Alternatively, You can also use an existing Classic Key if it fits the target's accepted algorithm types.

Azure supports the following algorithm types: RSA1024, RSA2048, RSA3072, RSA4096, EC256, EC384.

For RSA keys, allowed key operations are: decrypt, encrypt, sign, unwrap, verify, wrap.

For EC keys, allowed key operations are: sign, verify.



Any classic key will be protected using the Akeyless DFC key (you can select a DFC key with Zero-Knowledge Encryption).

  1. Associate the key with the Azure Target. When you attach a key, a copy of the key material is securely transferred to the Azure Key Vault KMS by its key import specification.

If you are using the CLI in order to associate the key and the target, please note to use all of the Azure mandatory parameters as described in the CLI Reference:

  • vault-name: The name of the Azure Vault you are targeting.
  • key-operations: An array with allowed operations
akeyless assoc-target-item --target-name azurev --name classickey --vault-name myvault --key-operations sign