Azure Key Vault

This topic refers to features available in your iManage Work environment if the Encryption Keys page (Settings > Encryption Keys) is visible in iManage Control Center.

To use the features referred to, users must have the global Key Management privilege to see the Encryption Key menu option.

Users must be NRTADMINs to activate or to manage keys.

The following topics are available:

Generating a customer supplied encryption key

Use this to create a customer supplied encryption key.

Create an RSA-2048 bit public/private customer supplied encryption key in your preferred tool, or follow the instructions below to create one with OpenSSL.

After the customer supplied encryption key is created, immediately escrow the key with a custodian, and share the key with other Azure administrators. This redundancy is crucial, in case the key is lost or accidentally deleted. If the encryption key is lost or destroyed, you will permanently lose all encrypted data on the iManage Work system.

To create a key pair with OpenSSL:

  1. Download and install an encryption key application, such as OpenSSL, on the client machine.

  2. Create a PEM file with the following command:
    openssl genrsa -aes256 -out private.pem 2048

  3. Enter a secret passphrase for the private key.

  4. Escrow the RSA private key with the escrow custodian.

  5. In addition to the escrowed copy, create a backup in a secure location, including the passwords.

  6. Make two copies of the private key and passwords, giving one copy to each of the two key holders.

Azure Information Worksheet

Use this worksheet to record values created during the key vault process. These values will be used later in the key ceremonies within iManage Control Center.

Worksheet: Azure information worksheet

Name

Value

Azure key vault DNS name

Example

https://ajubalaw.vault.azure.net/

Include the final backslash.

1

Actual

The Azure Key Version Key Identifier

Example

https://ajubalaw.vault.azure.net/keys/ajubalaw-1/da93550d9b344d04a212dd06b7e7f4dc

2

Actual

Application ID (also known as client ID)

Example

3fb0c700-536b-4700-9841-61e775400809

3

Actual

Client secret (also known as application password)

Example

xCGRvvvQmKfqwTw[@a@qovRN_Nn72K46

4

Actual

Adding the customer supplied encryption key to an Azure key vault

Use Microsoft Azure to create the key vaults. Follow their online instructions.

Make sure the following notes are incorporated into your steps and that the results look like the examples below.

  1. Create a key vault. Note the Azure key vault DNS name. For example: https://ajubalaw.vault.azure.net/ and includes the final backslash.
    Record the DNS Name in line 1 of the Azure Information Worksheet.

    Within that key vault, create a key resource. The only required settings are:
    * Include Wrap Key and Unwrap Key.
    * Do not use Set Activation date or Set Expiration date.
    Import the customer supplied encryption key that was created during the Generating a customer supplied encryption key step.
    This creates a Key Identifier. For example: https://ajubalaw.vault.azure.net/keys/ajubalaw-1/da93550d9b344d04a212dd06b7e7f4dc
    Record the Key Identifier in line 2 of the Azure Information Worksheet.

  2. Register the application.
    For example: 3fb0c700-536b-4700-9841-61e775400809
    Record the Application (client) ID in line 3 of the Azure Information Worksheet.

  3. Create an application secret, also called an application password.

    After the client secret is created, immediately record the value and also escrow it with a custodian. You cannot retrieve it after you leave that section.

    For example: xCGRvvvQmKfqwTw[@a@qovRN_Nn72K46
    Record the Client Secret in line 4 of the Azure Information Worksheet.

  4. Grant the application an access policy with the following permissions to the key vault: Wrap Key and Unwrap Key.