Azure Key Vault Key Manager
The Azure Key Vault Key Manager stores the Trust Domain Server's signing keys in Azure Key Vault, providing HSM-backed key storage on Azure. Private key material is protected by the Key Vault's HSM; signing operations are performed via the Key Vault API.
Prerequisites
- Premium tier Key Vault — HSM-protected keys require the Premium tier. Standard tier (software-backed) vaults are not supported.
- Workload Identity — The Trust Domain Server must have an Azure Workload Identity (or Managed Identity) with sufficient permissions on the Key Vault.
How to Deploy
Step 1 — Set Up Azure Permissions
Assign the following Key Vault RBAC roles to the Trust Domain Server's Workload Identity on the Key Vault:
| Role | Purpose |
|---|---|
Key Vault Crypto Officer | Create, delete, and manage keys |
Key Vault Crypto User | Sign using keys |
Or, using the legacy access policy model, grant: Get, List, Create, Update, Delete, Sign.
Step 2 — Update cluster configuration
section: KeyManager
schema: v1
spec:
extensions:
azureKeyVault:
vaultURL: "https://my-key-vault.vault.azure.net/"
Apply it using spirlctl:
spirlctl config set trust-domain-deployment --id <deployment-id> key-manager.yaml
Or using Terraform:
resource "spirl_cluster_config" "key_manager" {
cluster_id = spirl_cluster.my_cluster.id
sections = {
KeyManager = <<-YAML
section: KeyManager
schema: v1
spec:
extensions:
azureKeyVault:
vaultURL: "https://my-key-vault.vault.azure.net/"
YAML
}
}
Once a configuration document passes validation and is stored, the Defakto control plane syncs it to your Trust Domain Servers automatically. No server or agent restart is required.
Configuration Reference
| Field | Required | Default | Description |
|---|---|---|---|
vaultURL | Yes | — | URL of the Azure Key Vault (e.g., https://<vault-name>.vault.azure.net/). Must use the https scheme. |
keyTags | No | None | User-defined tags applied to all keys created by the Trust Domain Server. Tag keys cannot use the azure: or defakto- prefixes. |
Step 3 — Verify
On startup, the Trust Domain Server logs the Key Vault key IDs it is using. Signing operations appear in the Key Vault's diagnostic logs under AuditEvent category.
Migration
To migrate from the default CRD-based key manager to Azure Key Vault:
- Prepare Azure resources — Set up your Key Vault and permissions as described above.
- Apply the Azure Key Vault configuration — Use
spirlctl config setto add theKeyManagersection with theazureKeyVaultextension. The Azure Key Vault key manager becomes the active key manager immediately, but no new keys are generated at this point; existing CRD-based keys continue to handle all signing operations. - Wait for key rotation — At the next scheduled key rotation, new signing keys are created in Azure Key Vault. The previous CRD-based keys remain active until they expire and are fully rotated out.
Security Considerations
- HSM protection. All keys are created as HSM-backed (
EC-HSMtype). Key material cannot be exported. - Premium tier required. Standard tier vaults use software-protected keys and are not accepted.
- Workload Identity. Use Azure Workload Identity (not a static client secret) so credentials rotate automatically.
- Key rotation. During a key manager transition, the previous keys remain active until they expire and are fully rotated out. All outstanding SVIDs remain verifiable during the transition.