Ranger KMS

Integrate with Azure Key Vault

This topic shows how to configure Ranger Key Management Storage (KMS) system with Azure Key Vault to enable the use of data encryption. The master key for the encryption is created within the KMS and stored in Azure Key Vault. This section describes how to set up the connection from Ranger KMS to the Azure Key Vault to store the master key in the Azure key vault instead of the Ranger database.

Note: You can manually move the Ranger KMS from the Ranger database to the Azure Key Vault. For more information, refer to Migrate Ranger KMS Master Key

Prerequisites

• If the authentication is done without SSL enabled, get the Key Vault URL, ClientId and Client Secret by following the steps in this topic, Connect with a Client ID and Client Secret.

• If the authentication is done with SSL enabled, get the Key Vault URL, ClientId and Certificate by following the steps in this topic, Connect with a Client ID and Certificate.

• Configure Privacera Cryptography with Ranger KMS. For more information, refer to Privacera Cryptography with Ranger KMS.

Configuration

1. SSH to instance as  ${USER}

2. Run the following commands.

   cd ~/privacera/privacera-manager
   cp config/sample-vars/vars.crypto.azurekeyvault.yml config/custom-vars/
   vi config/custom-vars/vars.crypto.azurekeyvault.yml
   

3. Edit the following properties.

   AZURE_KEYVAULT_SSL_ENABLED: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_CLIENT_ID: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_CLIENT_SECRET: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_CERT_FILE: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_CERTIFICATE_PASSWORD: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_MASTERKEY_NAME: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_MASTER_KEY_TYPE: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_ZONE_KEY_ENCRYPTION_ALGO: "<PLEASE_CHANGE>"
   AZURE_KEYVAULT_URL: "<PLEASE_CHANGE>"
   

   
   

   Property	Description	Example
   AZURE_KEYVAULT_SSL_ENABLED	Activate Azure Key Vault.	true
   AZURE_KEYVAULT_CLIENT_ID	Get the ID by following the Pre-requisites section above.	50fd7ca6-xxxx-xxxx-a13f-1xxxxxxxx
   AZURE_KEYVAULT_CLIENT_SECRET	Get the client secret by following the Pre-requisites section above.	<AzureKeyVaultPassword>
   AZURE_KEYVAULT_CERT_FILE	Get the file by following the Pre-requisites section above.  Ensure the file is copied in the config/ssl folder, and give it a name.	azure-key-vault.pem
   AZURE_KEYVAULT_CERTIFICATE_PASSWORD	Get the value by following the Pre-requisites section above.	certPass
   AZURE_KEYVAULT_MASTERKEY_NAME	Enter the name of the master key. A key with this name will be created in Azure Key Vault.	RangerMasterKey
   AZURE_KEYVAULT_MASTER_KEY_TYPE	Enter a type of master key. Values: RSA, RSA_HSM, EC, EC_HSM, OCT	RSA
   AZURE_KEYVAULT_ZONE_KEY_ENCRYPTION_ALGO	Enter an encryption algorithm for the master key. Values: RSA_OAEP, RSA_OAEP_256, RSA1_5, RSA_OAEP	RSA_OAEP
   AZURE_KEYVAULT_URL	Get the URL by following the Pre-requisites section above.	https://keyvault.vault.azure.net/

4. Run the following commands.

   cd ~/privacera/privacera-manager
   ./privacera-manager.sh update
   

---

Last update: July 23, 2021