Skip to main content

Pre-Configuration: Setting Up Azure Key Vault for Polaris Pro

Optional Key Vault Configuration for Polaris Pro Features

Polaris supports optional Key Vault integration. By default, it uses TEE-isolated ephemeral private key, generating a 4096-bit RSA key pair that remains within the Trusted Execution Environment (TEE). Configuring an encryption key in Azure Key Vault enables Polaris Pro behavior, allowing persistent encrypted storage across disks, cloud storage, and databases with key-based access control.

Before deploying Polaris Pro, you need to configure Azure Key Vault to store and manage cryptographic keys securely. This guide outlines the necessary steps to:

  1. Create an Azure Key Vault with a Confidential Release Policy.
  2. Define and apply a Confidential Operation Policy.
  3. Create a cryptographic key within the Key Vault.
  4. Grant access to the AKS Managed Identity.

1. Create an Azure Key Vault

Azure Key Vault securely stores cryptographic keys required for confidential computing in Polaris Pro.

Command to Create a Key Vault

az keyvault create --name "<KEYVAULT_NAME>" --resource-group "<RESOURCE_GROUP>" --location "<LOCATION>" --sku premium

Key Vault Parameters

Below are the parameters required for Azure Key Vault configuration in Polaris Pro:

  • <KEYVAULT_NAME>: The name of the Azure Key Vault.
  • <RESOURCE_GROUP>: The Azure Resource Group where the Key Vault will be deployed.
  • <LOCATION>: The Azure region where the Key Vault will be created.
  • Premium SKU: Enables HSM-protected keys and confidential policies for secure key management.

2. Define and Apply a Confidential Operation Policy

Polaris Pro requires a Confidential Operation Policy to restrict key usage to a Confidential VM (CVM) or Trusted Execution Environment (TEE).

Confidential Policy JSON (cvm-release-policy.json)

This JSON policy ensures that key operations are restricted to a Confidential Computing environment.

{
  "version": "1.0.0",
  "anyOf": [
    {
      "authority": "https://sharedweu.weu.attest.azure.net",
      "allOf": [
        {
          "claim": "x-ms-isolation-tee.x-ms-attestation-type",
          "equals": "sevsnpvm"
        },
        {
          "claim": "x-ms-isolation-tee.x-ms-compliance-status",
          "equals": "azure-compliant-cvm"
        }
      ]
    }
  ]
}

Policy Breakdown

Below are the key attributes of the Confidential Operation Policy and their descriptions:

  • x-ms-isolation-tee.x-ms-attestation-type: Ensures that the cryptographic key is used only within a Confidential VM (SEV-SNP).
  • x-ms-isolation-tee.x-ms-compliance-status: Confirms that the execution environment is an Azure-compliant Confidential Virtual Machine (CVM).

3. Create a Cryptographic Key in the Key Vault

A HSM-protected RSA key is generated in Azure Key Vault with the Confidential Policy applied.

Command to Create the Key

az keyvault key create --exportable true --vault-name "<KEYVAULT_NAME>" --kty RSA-HSM --name "<KEY_NAME>" --policy ./cvm-release-policy.json

Explanation

  • <KEYVAULT_NAME>: The Azure Key Vault name where the cryptographic key will be created.
  • <KEY_NAME>: The name of the cryptographic key that will be stored in the Key Vault.
  • RSA-HSM: Uses Hardware Security Module (HSM) protection, ensuring that the key remains secure.
  • Confidential Policy: Restricts key operations to a Confidential Virtual Machine (CVM) or Trusted Execution Environment (TEE), preventing unauthorized access.

4. Grant Access to the AKS Managed Identity

Polaris Pro runs on Azure Kubernetes Service (AKS), and its managed identity must be granted access to the Key Vault to perform key release.

Retrieve the AKS Managed Identity Client ID

AKS_MI_ID=$(az aks show \
    --resource-group "<RESOURCE_GROUP>" \
    --name "<AKS_CLUSTER_NAME>" \
    --query "identityProfile.kubeletidentity.clientId" \
    --output tsv)

Grant Key Permissions

Once the AKS Managed Identity Client ID is retrieved, grant it the necessary key permissions in Azure Key Vault by running the following command:

az keyvault set-policy \
    --name "<KEYVAULT_NAME>" \
    --object-id $AKS_MI_ID \
    --key-permissions get release \
    --output none

Explanation

  • <KEYVAULT_NAME>: The Azure Key Vault name where the cryptographic key is stored.
  • <RESOURCE_GROUP>: The Azure Resource Group containing the AKS cluster.
  • <AKS_CLUSTER_NAME>: The name of the Azure Kubernetes Service (AKS) cluster where Polaris Pro is deployed.
  • Policy Grants: Provides the AKS agentpool’s managed identity with the following permissions:
    • get: Allows retrieving key details.
    • release: Enables key release operations within a Confidential VM (CVM).