Document toolboxDocument toolbox

Modifying Key Vault

Owned by Sarabjeet Kaur
May 29, 2024
4 min read

You can change existing Kyvos Key Vaults across all environments. Specifically, soft delete and purge protection must be enabled with the required number of days retention period for each Kyvos Key Vault.

Note

According to Azure documentation, the retention policy can only be configured during the vault creation and cannot be modified afterward. The same retention interval applies to both soft delete and purge protection policies.

For more details, see Microsoft documentation.

As mentioned above, the retention policy can only be configured during the vault creation and cannot be modified afterward.

To provide a solution, Kyvos recommends recreating the Key Vaults and updating the secrets to align with the new retention and protection policies for soft deletion and purge.

Here’s a summary of the steps required to create a new Key Vault and copying all existing secrets from the current Key Vault to the newly created one.

Creating a new Key Vault

To create the Key Vault, perform the following steps.

  1.  Log in to the Azure portal with a user having sufficient permissions and information.  On the Home page, in the search box, type Key Vaults.

  2.   On the Key Vaults page, click Create.

    image-20240529-084649.png

    The Create a Key Vault page is displayed.

    image-20240529-090354.png

  3. Click the Basics tab.

  4. Select your Subscription account.

  5. Select the name of your Resource Group. You can also create a new resource group using the Create new option.

Note

To add a new resource group, you must add this Managed Application Contributor Role at the subscription level.

  1. Enter the Key vault name.

  2. Select the same Region as the Resource group.

  3. Select the Azure Key Vault Pricing Tier from Standard or Premium.

  4. Under the Recovery options, enter the Days to retain deleted vaults. For example, you can keep the value as 7

  5. From the Purge Protection, select the Enable option.

  6. Click the Next button. The Access Configuration tab is displayed.

  7. Select the Vault Access Policy option for the permission model.

  8. Select the following checkboxes for the Resource access:

    1. Azure Resource Manager for template deployment

    2. Azure Virtual Machines for deployment

    3. Azure Disk Encryption for volume encryption

  9.  Click Create. The Create an access policy dialog is displayed.

  10. In the Secret permissions section, the assigned managed identity must have Secret Permissions (GET, LIST, and SET), then click Next.

  11. On the Principal tab, select the managed identity from the list configured on your cluster, then click Next.

  12. Click Review + Create. The managed identity is displayed with permissions in the Access policies section.

  13.  Click Next, and the Networking tab will be displayed.

  14.  Modify the networking settings as needed.

  15. Click Next, and the Tag tab is displayed. This is an optional configuration. You can specify the tags using the parameters displayed in the Tags section.

  16. Download the copy_secrets.sh script to copy the secret from the existing vault to the new vault.

  17. Provide the source and destination vault names in the copy_secrets.sh script before executing.

  18. On the Home page, click Cloud Shell.

  19. Upload the script by clicking the Upload button.

Note

If the firewall is enabled on your existing Key Vault (from where we need to copy secrets), you must ensure that the IP address from which the script is accessing the Key Vault is allowed through the firewall.

  1. Run the script.

  2. Copy the new vault URL from the Azure portal once all the secrets are copied to the new Key Vault.

Changing the Key Vault

To change the Key Vault, perform the following steps.

  1.  Login to the Kyvos Manager using Administrator credentials.  

  2. Navigate to Kyvos and Ecosystem > Databricks.

  3. On the Databricks page, in the Databricks Cluster section, for the Vault URL parameter, enter the new vault URL that you copied in Step 18.
    Vault URL= https://autokyvosvault15204.vault.azure.net/  

  4. Log in to Kyvos Manager Virtual Machine.

  5. Navigate to the ../kyvosmanagerdata/server/tls.properties file and update the ‘SECRET_IDENTIFIER’ parameter with a new vault URL. SECRET_IDENTIFIER=https://kyvosvault60990.vault.azure.net

  6. Navigate to the ../kyvosmanagerdata/server/ db/jdbc.properties file and update the ‘secretStoreIdentifier’ parameter with a new vault URL.
    secretStoreIdentifier =https://kyvosvault60990.vault.azure.net  After updating parameters, now go to Kyvos Manager.

  7.  Navigate to Utilities >Update Snapshot Bundles.

  8. Expand Kyvos Manager >Kyvos Manager Server > Kyvos Manager Data Configuration.

  9. Click Update Selected.

  10. Click the Action menu (…), and then click Restart Kyvos Manager.

  11. Click Restart Services.

Once the services are restarted, the new Key Vaults will come into effect.

 

Copyright Kyvos, Inc. All rights reserved.