Azure Managed HSM
Before you start
Make sure you have:
1. Create a VM
Create a VM where you will deploy the keyless daemon.
2. Deploy the keyless server
3. Set up the Azure CLI
Set up the Azure CLI (used to access the private key).
For example, if you were using MacOS:
brew install azure-cli
4. Set up the Managed HSM
Log in through the Azure CLI and create a resource group for the Managed HSM in one of the supported regions:$ az login$ az group create --name HSMgroup --location southcentralus
Add your private key to the
keyvault, which returns the URI you need for Step 4:$ az keyvault key import --hsm-name "KeylessHSM" --name "hsm-pub-keyless" --pem-file server.key
If the key server is running in an Azure VM in the same account, use Managed services for authorization:
$ az keyvault role assignment create --hsm-name KeylessHSM --assignee $(az vm identity show --name "hsmtestvm" --resource-group "HSMgroup" --query principalId -o tsv) --scope / --role "Managed HSM Crypto User"
- Enable managed services on the VM in the UI.
- Give your service user (associated with your VM) HSM sign permissions
5. Restart gokeyless
Once you save the config file, restart
gokeyless and verify that it started successfully:
$ sudo systemctl restart gokeyless.service$ sudo systemctl status gokeyless.service -l