How can I unlock an AIX encrypted volume with a key stored on Azure Key Vault?

Matthew Nakama 0

Hello, I'd like to know if it's possible to manage AIX (and IBMi) encryption keys via Azure Key Vault. Is it possible with AIX hdcryptmgr or keysvrmgr? I'm having trouble finding documentation on how to do this. I did find linux documentation, but it just says that Azure will handle it automatically, without any info on how one would configure dm-crypt to query the keys from Key Vault.

Nehruji R 7,391 Reputation points Microsoft Vendor

2024-09-16T07:35:02.88+00:00
Hello Matthew Nakama,

Greetings! Welcome to Microsoft Q&A Forum.

Yes, you can store and manage the encryption keys via Azure Key Vault. The article one describes in depth how customer managed keys work, whereas the article second does the same for customer provided keys.

When you use a customer manager key you are indicating a key stored in Azure Key Vault that you want to use to encrypt/decrypt data in a storage account.

Under the hood, this key will be used to encrypt/decrypt the key that in turn will be used to actually encrypt/decrypt the data in your storage account.

This process will be performed transparently every time you interact with your storage account.

The following list explains the numbered steps in the diagram:

An Azure Key Vault admin grants permissions to encryption keys to a managed identity. The managed identity may be either a user-assigned managed identity that you create and manage, or a system-assigned managed identity that is associated with the storage account.

An Azure Storage admin configures encryption with a customer-managed key for the storage account.

Azure Storage uses the managed identity to which the Azure Key Vault admin granted permissions in step 1 to authenticate access to Azure Key Vault via Azure AD.

Azure Storage wraps the account encryption key with the customer-managed key in Azure Key Vault.

For read/write operations, Azure Storage sends requests to Azure Key Vault to unwrap the account encryption key to perform encryption and decryption operations.

When using customer provided keys, you need to provide the encryption key itself among certain metadata you want to use for encrypting/decrypting data when reading or writing your blob data, when performing your requests:

Hope this will help. Please let us know if any further queries.
Nehruji R 7,391 Reputation points Microsoft Vendor

2024-09-18T07:17:57.12+00:00

Hi, we hope the provided answer helped if yes please accept the answer else, please let us know if you have any further queries. I’m happy to assist you further.

1 answer

hossein jalilian 6,520 Reputation points

2024-09-13T16:33:45.32+00:00
Hello Matthew Nakama,

Thanks for posting your question in the Microsoft Q&A forum.

You would need to:

Develop a custom application or script that can authenticate to Azure Key Vault using appropriate credentials and retrieve keys from Azure Key Vault, and pass those keys to the AIX or IBM i encryption tools.

Ensure secure communication between your on-premises systems and Azure Key Vault, likely involving VPN or ExpressRoute connections.

Implement proper key rotation and management practices that work with both Azure Key Vault and your AIX/IBM i systems.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How can I unlock an AIX encrypted volume with a key stored on Azure Key Vault?

1 answer

Your answer