Home > Manage Encryption Profiles > Create a Key Vault in Azure
Export to PDFCreate a Key Vault in Azure
Make sure you have an Azure subscription that contains Azure Key Vault. Then follow the instructions below.
Step 1: Create an Application
This application is only used for Azure Key Vault. AvePoint Online Services encryption profile will access the key vault via the application.
-
Go to (or ), navigate to Identity > Applications > App registrations (or Microsoft Entra ID > App registrations).
-
Click New registration on the ribbon.
-
On the Register an application page, configure the application settings.
-
Click Register to create your application.
-
After the application is created successfully, copy the application ID. The application ID is the client ID that will be used in the encryption profile.
Step 2: Add a Client Secret for the Application
The client secret will be used in the AvePoint Online Services encryption profile.
-
After creating the application, click Certificates & secrets in the left menu.
-
In the Client secrets field, click New client secret.
-
In the Add a client secret pane, enter a description for the client secret and select a duration.
-
Click Add. The value of the client secret is automatically generated and displayed.
-
Copy the client secret value. You will need to provide the value when configuring the encryption profile.
*Note: The value will be hidden after you leave or refresh the page.
Step 3: Create a Key Vault
According to your permission model (Azure RBAC or Key Vault access policy), refer to the instructions in the related sections below.
Azure RBAC (Role-based Access Control)
Follow the steps below to create a key vault:
-
Open the .
-
Search for Key vaults, and then click the result to access the Key vaults page.
-
Click Create. The Create a key vault page appears.
-
In the Basics tab, provide the basic information for the key vault, and then click the Access configuration tab.
-
In the Permission model section, select Azure role-based access control (recommended).
-
Click the Networking tab.
-
Select Enable public access which allows all networks to connect to this key vault.
*Note: If you only allow AvePoint Online Services and the AvePoint cloud services you are using to connect to this key vault, you can edit the key vault’s firewall settings after the key vault provisioning.
-
Click the Tags tab, and you can add tags to categorize your key vault.
-
Click Review + create to review all of your configurations first, and then click Create at the bottom to create the key vault.
*Note: If you need to change some settings before creating the key vault, you can click the Previous button to change previous settings.
After the key vault is created, follow the steps below to assign the role:
-
Open the , and navigate to the Key Vaults resource.
-
Click Access control (IAM) in the Key Vault’s menu.
-
Click Add and select Add role assignment.
-
In the Role list, select Key Vault Crypto User.
-
Go to the Members tab.
-
In the Assign access to section, select User, group, or service principal.
-
Click Select members.
-
Search for and select your application.
-
Click Review + assign to complete the role assignment.
Vault access policy
Follow the steps below to create a key vault:
-
In the , enter Key vaults in the search box on the top, and then select the first result to access the Key vaults page.
-
Click Create. The Create a key vault page appears.
-
In the Basics tab, provide the basic information for the key vault, and then click the Access configuration tab.
-
In the Permission model section, select Vault access policy.
-
In the Access policies section, click Create.
-
The Create an access policy pane appears. In the Permissions tab, select the following Key permissions:
-
In the Key Management Operations field, select Get.
-
In the Cryptographic Operations field, select Decrypt and Encrypt.
-
-
Click Next to go to the Principal tab.
-
In the Principal pane, complete the following steps:
-
Enter the application name or application ID in the search box.
-
Select the application and click Select at the bottom.
-
Click Next at the bottom.
-
-
Click Create to add the access policy.
-
Click the Networking tab.
-
Select Enable public access which allows all networks to connect to this key vault.
*Note: If you only allow AvePoint Online Services and the AvePoint cloud services you are using to connect to this key vault, you can edit the key vault’s firewall settings after the key vault provisioning.
-
Click the Tags tab, and you can add tags to categorize your key vault.
-
Click Review + create to review all of your configurations first, and then click Create at the bottom to create the key vault.
*Note: If you need to change some settings before creating the key vault, you can click the Previous button to change previous settings.
Step 4: Create a Key
Follow the steps below to create a key:
-
On the Key vaults page, click the newly created key vault.
-
Click Keys in Objects. In the Keys pane, click Generate/Import on the ribbon and create a key.
-
In the Keys pane, click the key name, and then click the current version. The key properties are displayed.
-
Copy the key identifier. You will need to provide the key identifier when configuring the encryption profile.
Step 5: Edit the Key Vault’s Firewall
If you only allow AvePoint Online Services and the AvePoint cloud services you are using to connect to the key vault, complete the following steps to edit the key vault’s firewall:
-
On the Key vaults page, click the name of the key vault you created, and then click Networking in Settings.
-
In the Firewalls and virtual networks tab, select Allow public access from specific virtual networks and IP addresses.
-
In the Firewall field, enter the IP addresses of AvePoint Online Services and the AvePoint cloud services you are using in the text boxes.
*Note: To get the IP addresses, sign in to AvePoint Online Services and navigate to Administration > Security > Reserved IP address.
-
Click Save to save your configurations.