Skip to main content

Privacera Documentation

Table of Contents

Configure Ranger KMS with Azure Key Vault on Privacera Platform

This topic shows how to configure Ranger Key Management Storage (KMS) system with Azure Key Vault to enable the use of data encryption. The master key for the encryption is created within the KMS and stored in Azure Key Vault. This section describes how to set up the connection from Ranger KMS to the Azure Key Vault to store the master key in the Azure key vault instead of the Ranger database.

Note

You can manually move the Ranger KMS from the Ranger database to the Azure Key Vault. For more information, refer to Migrate Ranger KMS master key on Privacera Platform.

Prerequisites

CLI configuration

  1. SSH to the instance where Privacera is installed.

  2. Run the following commands.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.crypto.azurekeyvault.yml config/custom-vars/
    vi config/custom-vars/vars.crypto.azurekeyvault.yml
  3. Edit the following properties. For property details and description, refer to the Configuration Properties below.

    AZURE_KEYVAULT_SSL_ENABLED: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_CLIENT_ID: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_CLIENT_SECRET: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_CERT_FILE: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_CERTIFICATE_PASSWORD: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_MASTERKEY_NAME: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_MASTER_KEY_TYPE: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_ZONE_KEY_ENCRYPTION_ALGO: "<PLEASE_CHANGE>"
    AZURE_KEYVAULT_URL: "<PLEASE_CHANGE>"
  4. Run the following commands.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update

Azure Key Vault properties on Privacera Platform

Property

Description

Example

AZURE_KEYVAULT_SSL_ENABLED

Activate Azure Key Vault.

true

AZURE_KEYVAULT_CLIENT_ID

Get the ID by following the Pre-requisites section above.

50fd7ca6-xxxx-xxxx-a13f-1xxxxxxxx

AZURE_KEYVAULT_CLIENT_SECRET

Get the client secret by following the Pre-requisites section above.

<AzureKeyVaultPassword>

AZURE_KEYVAULT_CERT_FILE

Get the file by following the Pre-requisites section above.

Ensure the file is copied in the config/ssl folder, and give it a name.

azure-key-vault.pem

AZURE_KEYVAULT_CERTIFICATE_PASSWORD

Get the value by following the Pre-requisites section above.

certPass

AZURE_KEYVAULT_MASTERKEY_NAME

Enter the name of the master key. A key with this name will be created in Azure Key Vault.

RangerMasterKey

AZURE_KEYVAULT_MASTER_KEY_TYPE

Enter a type of master key.

Values: RSA, RSA_HSM, EC, EC_HSM, OCT

RSA

AZURE_KEYVAULT_ZONE_KEY_ENCRYPTION_ALGO

Enter an encryption algorithm for the master key.

Values: RSA_OAEP, RSA_OAEP_256, RSA1_5, RSA_OAEP

RSA_OAEP

AZURE_KEYVAULT_URL

Get the URL by following the Pre-requisites section above.

https://keyvault.vault.azure.net/