Creating a CloudKey for Azure

Before you can create a CloudKey, you must have created a Key Set. See Creating a Key Set.

Log into the KeyControl Vault for Cloud Keys webGUI using an account with Cloud Admin privileges.
In the top menu bar, click CloudKeys.
Click the CloudKeys tab and select the Key Set, the Type, and either the Key Vault or Managed HSM, depending on your choice. If you selected DKE Keys, there are no further selections.

Note: If you do not finish the selections on the CloudKeys page, you will need to add them on the Details tab of the Create CloudKey dialog box.
Select Actions > Create CloudKey.

On the Details tab of the Create CloudKey dialog box, enter the following:

Field	Description
Key Vault or Managed HSM	If you did not finish selecting the Key Set prompts, you will need to select the Key Vault or Managed HSM here.
Name	Enter the name for the CloudKey.
Description	Enter the optional description for the CloudKey

Field

Description

Key Vault or

Managed HSM

If you did not finish selecting the Key Set prompts, you will need to select the Key Vault or Managed HSM here.

Name

Enter the name for the CloudKey.

Description

Enter the optional description for the CloudKey

Click Continue.

On the Access tab, enter the following:

Field	Description
Hardware Protected	Select whether or not to create a hardware protected key in Azure. For premium vaults only. This field is only visible for CloudKeys of type Key Vault and DKE KEys only.
Cipher	Select the RSA or EC key that you want to use. For DKE keys, only RSA is supported.
Permitted operations (for Key Vault only)	Check the checkboxes for the allowed key operations.
Azure Accounts (for DKE Keys only)	Select Allow all or Specific tenants.

Click Continue.
On the Schedule tab, determine the rotation schedule for the CloudKey. This can be one of the following:
- Inherit from Key Set—The CloudKey will use the default schedule from the Key Set. If the Key Set schedule changes after the CloudKey is created, the CloudKey schedule will not be updated.
- Never—The CloudKey will never be rotated.
- Once a year—The CloudKey will be rotated once a year.
- Every 6 months—The CloudKey will be rotated once every 6 months.
- Every 30 days—The CloudKey will be rotated once every 30 days.
- Other—The CloudKey will be rotated at the interval you select.
Select the Activation Date for the CloudKey.
Choose when the CloudKey should expire. This can be Never, or you can choose a specific date.

Important: Once you set an expiration date, you can not change the value back to Never.
If you selected an expiration date, choose the Expire Action to define what happens to the CloudKey when it expires. This can be one of the following:
- Disable—The key will remain in the cloud, but is disabled and cannot be used by any applications.
- Delete—The key is disabled in the cloud and cannot be used by any applications. You can set the date when the key is permanently deleted.
- Delete from Cloud—Removes the key material from the KMS, and applications can no longer use this key from the cloud. However, KeyControl retains a copy of the key which can be uploaded back to the cloud.
Note: When the CloudKey expires, the selected Expire Action is performed on the key. The KeyControl handles the expiry date and expire action. The expire date is not set in the cloud service provider.
Click Apply.