The following topics are available:
Generating a customer-supplied encryption key
In order to use customer-managed encryption key to encrypt your data stored in iManage Work, you must first create an encryption key.
You can create an RSA-2048 bit public/private encryption key in your preferred tool, or follow the instructions below to create one with OpenSSL.
CAUTION: After the customer-supplied encryption key is created, immediately escrow the key with a custodian, and share the key with other Azure administrators. This redundancy is crucial, in case the key is lost or accidentally deleted. If the encryption key is lost or destroyed, you'll permanently lose all encrypted data on the iManage Work system.
To create a key pair with OpenSSL:
Download and install an encryption key application, such as OpenSSL, on the client machine.
Create a PEM file with the following command:
openssl genrsa -aes256 -out private.pem 2048Enter a secret passphrase for the private key.
Escrow the RSA private key with the escrow custodian.
In addition to the escrowed copy, store a backup of the key and passwords in a separate secure location.
NOTE: Azure no longer supports the ability to back up or restore keys to a second vault, and is not a suitable alternative for key escrow.
Make two copies of the private key and passwords, giving one copy to each of the two key holders.
NOTE: You can't generate a key by using Azure's built-in key generation function. Azure also provides no means to export the key from its vault.
Azure Information Worksheet
Use this worksheet to record values created during the key vault process. These values will be used later in the key ceremonies within iManage Control Center.
Worksheet: Azure information worksheet
Name | Value | ||
|---|---|---|---|
Azure key vault DNS name | Example | https://ajubalaw.vault.azure.net/ NOTE: Include a backslash at the end. | |
1 | Actual | ||
The Azure Key Version Key Identifier | Example | https://ajubalaw.vault.azure.net/keys/ajubalaw-1/da93550d9b344d04a212dd06b7e7f4dc | |
2 | Actual | ||
Application ID (also known as client ID) | Example | 3fb0c700-536b-4700-9841-61e775400809 | |
3 | Actual | ||
Client secret (also known as application password) | Example | xCGRvvvQmKfqwTw[@a@qovRN_Nn72K46 | |
4 | Actual |
Adding the customer-supplied encryption key to an Azure key vault
Use Microsoft Azure to create the key vaults. Make sure the following notes are incorporated into your steps and the results resemble the examples below.
Create a key vault using the instructions provided in Microsoft Azure help.
Record the Azure key vault DNS name in line 1 of the Azure Information Worksheet.
For example:https://ajubalaw.vault.azure.net/
NOTE: You must include the final backslash.Within that key vault, create a key resource. The only required settings are:
* Include Wrap Key and Unwrap Key.
* Don't use Set Activation date or Set Expiration date.Import the customer supplied encryption key that was created during the Generating a customer-supplied encryption key step.
This creates a Key Identifier. For example:https://ajubalaw.vault.azure.net/keys/ajubalaw-1/da93550d9b344d04a212dd06b7e7f4dc
Record the Key Identifier in line 2 of the Azure Information Worksheet.
Register the application.
For example:3fb0c700-536b-4700-9841-61e775400809
Record the Application (client) ID in line 3 of the Azure Information Worksheet.Create an application secret, also called an application password.
CAUTION: After the client secret is created, immediately record the value and also escrow it with a custodian. You can't retrieve it after you leave that section.
For example: xCGRvvvQmKfqwTw[@a@qovRN_Nn72K46
Record the Client Secret in line 4 of the Azure Information Worksheet.
CAUTION: When generating the application secret, Azure requires you to specify an expiration date that is two years or less. You MUST ensure you have processes in place to update this secret before its expiry date, or the iManage Cloud will be unable to access the Key Vault, and your content won't be able to be decrypted.
Whenever you have an updated secret, use the instructions in Updating the Azure Key Store client id or secret to also update the secret in iManage Control Center.
Grant the application an access policy with the following permissions to the key vault: Wrap Key and Unwrap Key.
FAQ
Q: How many Azure Key Vaults are required?
A: Two Azure Key Vaults are needed to meet this requirement. Two independent sets of keyholders are required and, as best practice, we recommend no single keyholder has access to both key vaults.
Q: Should we configure two key vaults within the same subscription?
A: We recommend having two independent Azure accounts owned by the firm’s designated keyholders and separately accessible only to these keyholders. For Azure subscription assistance, please reach out to a Microsoft representative.
Q: Can we store more than one key in the same key vault pair?
A: No, the RSA key must be identical between the key vault pair. The iManage CMEK service validates that the RSA keys between the key vault pair are identical.
Q: Can I generate a key using the Azure Key Vault functionality?
A: Generating a key within Azure Key Vault isn't allowed for the following reasons:
The key must be identical
The key id must not be identical
The keyholder must be a separate person
A key can't be generated in the Azure Key Vault because the key id can't be modified. Therefore, a key must be created outside of your Azure Key Vault. For instructions on creating a key using an alternate application such as OpenSSL, refer to Generating a customer-supplied encryption key.
Q: How much can we expect to be charged by Azure?
A: The only iManage functions that interact with Azure Key Vault are key wrap and key unwrap. These activities occur approximately every 5 minutes, which alone would cost approximately US $15 per month. Library size, number of users, and amount of activity don't affect the amount of key wrap and key unwrap actions that iManage sends to the Azure Key Vault. For more information on Azure pricing, refer to https://azure.microsoft.com/en-us/pricing/details/key-vault/.
