Create a Key Vault in Azure

Make sure you have an Azure subscription that contains Azure Key Vault. Then follow the instructions below:

Step 1: Create an application.

This application is only used for Azure Key Vault. IBM® Storage Protect for Cloud encryption profile will access the key vault via the application.
  1. Go to Microsoft Entra admin center (or Microsoft Azure portal), navigate to Identity > Applications > App registrations (or Microsoft Entra ID > App registrations).
  2. Click New registration on the ribbon.
  3. On the Register an application page, configure the application settings.
  4. Click Register to create your application.
  5. After the application is created successfully, copy the application ID. The application ID is the client ID that will be used in the encryption profile.

Step 2: Add a client secret for the application

The client secret will be used in the IBM Storage Protect for Cloud encryption profile.
  1. After creating the application, click Certificates & secrets in the left menu.
  2. In the Client secrets field, click New client secret.
  3. In the Add a client secret pane, enter a description for the client secret and select a duration.
  4. Click Add. The value of the client secret is automatically generated and displayed.
  5. Copy the client secret value. You will need to provide the value when configuring the encryption profile.
    Note: The value will be hidden after you leave or refresh the page.

Step 3: Create a Key Vault

According to your permission model (Azure RBAC or Key Vault access policy), refer to instructions in the related sections below.

Step 4: Create a Key

Follow the steps below to create a key:
  1. On the Key vaults page, click the newly created key vault.
  2. Click Keys in Objects. In the Keys pane, click Generate/Import on the ribbon and create a key.
  3. In the Keys pane, click the key name, and then click the current version. The key properties are displayed.
  4. Copy the key identifier. You will need to provide the key identifier when configuring the encryption profile.

Step 5: Edit the Key Vault’s Firewall

If you only allow the IBM Storage Protect for Cloud and the IBM Storage Protect for Cloud Microsoft 365 that you are using to connect to the key vault, complete the following steps to edit the key vault’s firewall:
  1. On the Key vaults page, click the name of the key vault you created, and then click Networking in Settings.
  2. In the Firewalls and virtual networks tab, select Allow public access from specific virtual networks and IP addresses.
  3. In the Firewall field, enter the IP addresses of the IBM Storage Protect for Cloud and the IBM Storage Protect for Cloud Microsoft 365 you are using in the text boxes.
    Note: To get the IP addresses, sign in to IBM Storage Protect for Cloud and navigate to Administration > Administration > Security > Reserved IP address.
  4. Click Save to save your configurations.