How to import key exchange key in TR-31 format in Azure Key Vault?

Carlos Sáez 1

The 3rd party, does not have the HSM requirement for using BYOK tool and transfer to us the key for import in Azure Key Vault.

They only can transfer the key exchange key in TR-31 format (key exchange block).

How can I import this type of key format in Azure Key Vault?

Thank you in advance
Kind regards

Carlos

Siva-kumar-selvaraj 15,546 Reputation points

2021-10-11T09:14:28.93+00:00

Hello @Carlos Sáez ,

Thanks for reaching out.

These are supported and valid key types can be imported from Azure Key Vault keys: .pfx, .pem, and .byok. However, let me double check and confirm if TR-31 format (key exchange block) supported with Azure key Vault.

Detailed comparison are here for your reference:

Import HSM-protected keys to Key Vault (BYOK):
Supported-key-types: https://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok#supported-key-types
Supported HSMs : https://learn.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok#supported-hsms
Key types and protection methods: https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys#key-types-and-protection-methods
Siva-kumar-selvaraj 15,546 Reputation points

2021-10-11T14:47:20.9+00:00

Have confirmed with product group that TR31 key blocks are not supported.

Key blocks are typically used with Payment HSM for the transfer of 3DES or AES keys. The HSM used by Key Vault are general propose HSM and key vault does not support symmetric keys.

If you would like to get more information about Payment HSM, pls let us know. Thanks

Hope this helps.
Siva-kumar-selvaraj 15,546 Reputation points

2021-10-12T12:44:56.247+00:00

@Carlos Sáez Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,
Carlos Sáez 1 Reputation point

2021-10-13T11:43:11.74+00:00

Hello @sikumars-msft ,

Thanks for the info.

The 3rd party who I am dealing is a Payment company, and they use IBM and Thales HSMs supported by Azure Key Vault for BYOK, but they don't use the needed IBM (EKMF) and Thales(Luna) modules/services to generate BYOK. That's the reason why they only can share us TR-31 exchange key format.

Would you share some info about import keys from Payment HSM or any workarround we can porpose to import their key?

We need one alternative solution to aim that key and be able to integrate with them.

Kind regards

1 answer

Siva-kumar-selvaraj 15,546 Reputation points

2021-10-11T12:04:20.427+00:00

@Carlos Sáez

Hello Carlos,

Thanks for reaching out.

TR31 key blocks are not supported.

Key blocks are typically used with Payment HSM for the transfer of 3DES or AES keys. The HSM used by Key Vault are general propose HSM and key vault does not support symmetric keys.

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.

1 person found this answer helpful.
Carlos Sáez 1 Reputation point

2021-10-17T18:01:07.557+00:00

Thanks for the info.

The 3rd party who I am dealing is a Payment company, and they use IBM and Thales HSMs supported by Azure Key Vault for BYOK, but they don't use the needed IBM (EKMF) and Thales(Luna) modules/services to generate BYOK. That's the reason why they only can share us TR-31 exchange key format.

Would you share some info about import keys from Payment HSM or any workarround we can porpose to import their key?

We need one alternative solution to aim that key and be able to integrate with them.

Kind regards
Sign in to comment