Skip to main content

Bring Your Own Key with Laurel Azure Integration Guide

Thomas Zhang avatar
Written by Thomas Zhang
Updated over 3 weeks ago

Step 1: Create Your Azure Key Vault and Key

Create a new Azure Key Vault and encryption key for Laurel:

  1. Log in to the Azure Portal.

  2. Navigate to Key Vaults (search for "Key Vaults" in the top search bar).

  3. Click + Create to create a new Key Vault.

  4. Configure the Key Vault settings:

    1. Subscription: Select your Azure subscription

    2. Resource Group: Choose an existing resource group or create a new one

    3. Key Vault Name: Enter a unique name (e.g., laurel-byok-vault)

    4. Region: Choose the region closest to your data

    5. Pricing Tier: Standard is sufficient for BYOK

  5. Click Review + Create, then Create.

  6. Once the Key Vault is created, navigate to it and click on Keys in the left sidebar.

  7. Click + Generate/Import to create a new key.

  8. Configure the key settings:

    1. Options: Select Generate

    2. Name: Enter a descriptive name (e.g., laurel-encryption-key)

    3. Key Type: Select RSA

    4. RSA Key Size: Select 4096 (recommended)

    5. Enabled: Yes

  9. Click Create.

  10. Copy the Key Vault Endpoint and Key Name:

    1. Key Vault Endpoint: Found at the top of your Key Vault overview page. It will look like: https://laurel-byok-vault.vault.azure.net/

    2. Key Name: The name you gave your key (e.g., laurel-encryption-key)

    3. Key Version: Looks like a GUID string (e.g., ef456dd3-6929-4aca-87bf-4733b91db1cd)

Step 2: Create a Service Principal for Laurel

Laurel requires a Service Principal (application identity) to access your Key Vault. You'll create this and share the credentials with Laurel.

  1. In the Azure Portal, navigate to Azure Active Directory (or Microsoft Entra ID).

  2. Click on App registrations in the left sidebar.

  3. Click + New registration.

  4. Configure the application:

    1. Name: Enter a descriptive name (e.g., Laurel-BYOK-ServicePrincipal)

    2. Supported account types: Select Accounts in this organizational directory only

    3. Redirect URI: Leave blank

  5. Click Register.

  6. Copy the following values (you'll need these for Laurel configuration):

    1. Application (client) ID: Found on the Overview page

    2. Directory (tenant) ID: Found on the Overview page

  7. Create a client secret:

    1. Click on Certificates & secrets in the left sidebar

    2. Click + New client secret

    3. Description: Enter a description (e.g., Laurel BYOK Access)

    4. Expires: Choose an expiration period of 2 years

    5. Click Add

    6. IMPORTANT: Copy the secret VALUE immediately - it will only be shown once. Store it securely.

  8. Copy your Subscription ID:

    1. Navigate to Subscriptions in the Azure Portal

    2. Find the subscription containing your Key Vault

    3. Copy the Subscription ID

Step 3: Configure Key Vault Access Policies

Grant the Service Principal permission to use your encryption key.

Using Access Policies

  1. Navigate to your Key Vault in the Azure Portal.

  2. Click on Access policies in the left sidebar.

  3. Click + Create (or + Add Access Policy in older portal versions).

  4. Configure the permissions:

    1. Key permissions: Select the following:

      1. Key Management Operations:

        1. Get

        2. List

      2. Cryptographic Operations:

        1. Select All

  5. Click Next (or the Select principal section).

  6. Search for and select the Service Principal you created in Step 2 (e.g., Laurel-BYOK-ServicePrincipal).

  7. Click Select, then Next, then Create (or Add).

  8. Important: Click Save at the top to apply the changes.

  9. NOTE: Under Access Configuration for the key vault, you may need to update to "Vault Access Policy"

Step 4: Configure Laurel

  1. Log in to Laurel.

  2. Navigate to the Security Settings tab in Laurel Admin (you need to be a super customer admin to access this).

  3. Select Azure as your encryption provider.

  4. Enter the following information:

    1. Tenant ID: Paste the Directory (tenant) ID from Step 2

    2. Subscription ID: Paste your Azure Subscription ID from Step 2

    3. Key Vault Endpoint: Paste the Key Vault URL (e.g., https://laurel-byok-vault.vault.azure.net/)

    4. Key Name: Enter your key name (e.g., laurel-encryption-key)

    5. Key Version: Enter the GUID version (e.g. ef456dd3-6929-4aca-87bf-4733b91db1cd)

    6. Client ID: Paste the Application (client) ID from Step 2

    7. Client Secret: Paste the client secret VALUE you saved from Step 2

  1. Save the settings.

  2. A Laurel administrator must validate and enable the feature for it to become active. Submit a support ticket and we'll validate the configuration and enable the feature!

Related Articles
Zoom Configuration for Laurel
Azure AD (SSO) Configuration for Laurel
Microsoft Teams Configuration for Laurel
Microsoft O365 Configuration for Laurel
Cisco Webex Cloud Configuration for Laurel
Did this answer your question?