Azure Managed HSM
This tutorial uses Microsoft Azure’s Managed HSM ↗ — a FIPS 140-2 Level 3 certified implementation — to deploy a VM with the Keyless SSL daemon.
Make sure you have:
- Followed Microsoft's tutorial ↗ for provisioning and activating the managed HSM
- Set up a VM for your key server
Create a VM where you will deploy the keyless daemon.
Follow these instructions to deploy your keyless server.
Set up the Azure CLI (used to access the private key).
For example, if you were using macOS:
-
Log in through the Azure CLI and create a resource group for the Managed HSM in one of the supported regions:
-
Create, provision, and activate ↗ the HSM.
-
Add your private key to the
keyvault
, which returns the URI you need for Step 4: -
If the key server is running in an Azure VM in the same account, use Managed services for authorization:
-
Enable managed services on the VM in the UI.
-
Give your service user (associated with your VM) HSM sign permissions
-
-
In the
gokeyless
YAML file, add the URI from Step 2 underprivate_key_stores
. See our README ↗ for an example.
Once you save the config file, restart gokeyless
and verify that it started successfully: