Managing the root key for your Azure Rights Management service

Revoke your tenant key

When you cancel the only or last subscription that includes the Azure Rights Management service, the service stops using your Azure Rights Management tenant key and no action is needed from you.

Rekey your tenant key

Rekeying is also known as rolling your key. When you do this operation, the Azure Rights Management service stops using the existing tenant key to encrypt items, and starts to use a different key. Policies and rights management templates are immediately resigned but this changeover is gradual for existing clients and services using the Azure Rights Management service. So for some time, some new content continues to be encrypted with the old Azure Rights Management tenant key.

To rekey, you must configure the Azure Rights Management tenant key object and specify the alternative key to use. Then, the previously used key is automatically marked as archived for the Azure Rights Management service. This configuration ensures that content that was encrypted by using this key remains accessible.

Examples of when you might need to rekey for the Azure Rights Management service:

• You have migrated from Active Directory Rights Management Services (AD RMS) with a cryptographic mode 1 key. When the migration is complete, you want to change to using a key that uses cryptographic mode 2.

• Your company has split into two or more companies. When you rekey your Azure Rights Management tenant key, the new company won't have access to new content that your employees encrypt. They can access the old content if they have a copy of the old Azure Rights Management tenant key.

• You want to move from one key management topology to another.

• You believe the master copy of your Azure Rights Management tenant key is compromised.

To rekey, you can select a different Microsoft-managed key to become your Azure Rights Management tenant key, but you can't create a new Microsoft-managed key. To create a new key, you must change your key topology to be customer-managed (BYOK).

You have more than one Microsoft-managed key if you migrated from Active Directory Rights Management Services (AD RMS) and chose the Microsoft-managed key topology for the Azure Rights Management service. In this scenario, you have at least two Microsoft-managed keys for your tenant. One key, or more, is the key or keys that you imported from AD RMS. You'll also have the default key that was automatically created for your Azure Rights Management tenant.

To select a different key to be your active tenant key for the Azure Rights Management service, use the Set-AipServiceKeyProperties cmdlet from the AIPService module. To help you identify which key to use, use the Get-AipServiceKeys cmdlet. You can identify the default key that was automatically created for your Azure Rights Management tenant by running the following command:

(Get-AipServiceKeys) | Sort-Object CreationTime | Select-Object -First 1

To change your key topology to be customer-managed (BYOK), see Bring your own key for the Azure Rights Management service root key.

Backup and recover your tenant key

Microsoft is responsible for backing up your Azure Rights Management tenant key and no action is required from you.

Export your tenant key

You can export your Azure Rights Management service configuration and corresponding tenant key by following the instructions in the following three steps:

Step 1: Initiate export

• Contact Microsoft Support to open an Microsoft Purview Information Protection support case with a request for an Azure Rights Management key export. You must prove you're a global administrator for your tenant, and understand that this process takes several days to confirm. Standard support charges apply; exporting your tenant key is not a free-of-charge support service.

Step 2: Wait for verification

• Microsoft verifies that your request to release your Azure Rights Management tenant key is legitimate. This process can take up to three weeks.

Step 3: Receive key instructions from CSS

• Microsoft Customer Support Services sends you your Azure Rights Management service configuration and tenant key encrypted in a password-protected file. This file has a .tpd file name extension. To do this, a Microsoft support engineer first sends you (as the person who initiated the export) a tool by email. You must run the tool from a command prompt as follows:

  AadrmTpd.exe -createkey
  

  This generates an RSA key pair and saves the public and private halves as files in the current folder. For example: PublicKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txt and PrivateKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txt.

  Respond to the email from the support engineer, attaching the file that has a name that starts with PublicKey. Microsoft Support next sends you a TPD file as an .xml file that is encrypted with your RSA key. Copy this file to the same folder as you ran the AadrmTpd tool originally, and run the tool again, using your file that starts with PrivateKey and the file from Microsoft Support. For example:

  AadrmTpd.exe -key PrivateKey-FA29D0FE-5049-4C8E-931B-96C6152B0441.txt -target TPD-77172C7B-8E21-48B7-9854-7A4CEAC474D0.xml
  

  The output of this command should be two files: One contains the plain text password for the password-protected TPD, and the other is the password-protected TPD itself. The files have a new GUID, for example:

  • Password-5E4C2018-8C8C-4548-8705-E3218AA1544E.txt

  • ExportedTPD-5E4C2018-8C8C-4548-8705-E3218AA1544E.xml

    Back up these files and store them safely to ensure that you can continue to decrypt content that is encrypted with this tenant key. In addition, if you're migrating to AD RMS, you can import this TPD file (the file that starts with ExportedTDP) to your AD RMS server.

Step 4: Ongoing: Protect your tenant key

After you receive your tenant key, keep it well-guarded, because if somebody gets access to it, they can decrypt all items that are encrypted by using that key.

If the reason to export your tenant key is because you no longer want to use the Azure Rights Management service, as a best practice, now deactivate the Azure Rights Management service in your tenant. Don'tdelay doing this after you receive your tenant key because this precaution helps to minimize the consequences if your tenant key is accessed by somebody who shouldn't have it. For instructions, see Decommission and deactivate the Azure Rights Management service.

Respond to a breach

No security system, no matter how strong, is complete without a breach response process. Your Azure Rights Management tenant key might be compromised or stolen. Even when it’s protected well, vulnerabilities might be found in current generation key technology or in current key lengths and algorithms.

Microsoft has a dedicated team to respond to security incidents in its products and services. As soon as there's credible report of an incident, this team engages to investigate the scope, root cause, and mitigations. If this incident affects your assets, Microsoft will notify the global administrators for your tenant by email.

If you have a breach, the best action that you or Microsoft can take depends on the scope of the breach; Microsoft works with you through this process. The following table shows some typical situations and the likely response, although the exact response depends on all the information that is revealed during the investigation.

Revoke your tenant key

There are very few scenarios when you might need to revoke your Azure Rights Management key instead of rekeying. When you revoke your Azure Rights Management key, all content that has been encrypted by your tenant using that key will become inaccessible to everybody (including Microsoft, your global administrators, and super users) unless you have a backup of the key that you can restore. After you revoke your key, you won't be able to encrypt new content until you create and configure a new Azure Rights Management tenant key.

To revoke your customer-managed Azure Rights Management tenant key, in Azure Key Vault, change the permissions on the key vault that contains your Azure Rights Management tenant key so that the Azure Rights Management service can no longer access the key. This action effectively revokes the Azure Rights Management tenant key for the encryption service.

When you cancel your only or last subscription that includes the Azure Rights Management service, it stops using your Azure Rights Management tenant key and no action is needed from you.

Rekey your tenant key

Rekeying is also known as rolling your key. When you do this operation, the Azure Rights Management service stops using the existing tenant key to encrypt items, and starts to use a different key. Policies and rights management templates are immediately resigned but this changeover is gradual for existing clients and services using the Azure Rights Management service. So for some time, some new content continues to be encrypted with the old Azure Rights Management tenant key.

To rekey, you must configure the Azure Rights Management tenant key object and specify the alternative key to use. Then, the previously used key is automatically marked as archived for the Azure Rights Management service. This configuration ensures that content that was encrypted by using this key remains accessible.

Examples of when you might need to rekey for the Azure Rights Management service:

• Your company has split into two or more companies. When you rekey your Azure Rights Management tenant key, the new company won't have access to new content that your employees encrypt. They can access the old content if they have a copy of the old Azure Rights Management tenant key.

• You want to move from one key management topology to another.

• You believe the master copy of your Azure Rights Management tenant key (the copy in your possession) is compromised.

To rekey to another key that you manage, you can either create a new key in Azure Key Vault or use a different key that is already in Azure Key Vault. Then follow the same procedures that you did to implement BYOK for the Azure Rights Management service.

1. Only if the new key is in a different key vault to the one you're already using for the Azure Rights Management service: Authorize the Azure Rights Management service to use the key vault, by using the Set-AzKeyVaultAccessPolicy cmdlet.

2. If the Azure Rights Management service doesn't already know about the key you want to use, run Use-AipServiceKeyVaultKey cmdlet.

3. Configure the Azure Rights Management tenant key object, by using the run Set-AipServiceKeyProperties cmdlet.

For more information about each of these steps:

• To rekey to another key that you manage, see Bring your own key for the Azure Rights Management service root key.

  If you're rekeying an HSM-protected key that you create on-premises and transfer to Key Vault, you can use the same security world and access cards as you used for your current key.

• To rekey, changing to a key that Microsoft manages for you, see the Rekey your tenant key section for Microsoft-managed operations.

Backup and recover your tenant key

Because you're managing your tenant key, you're responsible for backing up the key that the Azure Rights Management service uses.

If you generated your Azure Rights Management tenant key on premises, in a nCipher HSM: To back up the key, back up the tokenized key file, the world file, and the administrator cards. When you transfer your key to Azure Key Vault, the service saves the tokenized key file, to protect against failure of any service nodes. This file is bound to the security world for the specific Azure region or instance. However, don't consider this tokenized key file to be a full backup. For example, if you ever need a plain text copy of your key to use outside a nCipher HSM, Azure Key Vault can't retrieve it for you, because it has only a nonrecoverable copy.

Azure Key Vault has a backup cmdlet that you can use to back up a key by downloading it and storing it in a file. Because the downloaded content is encrypted, it can't be used outside Azure Key Vault.

Export your tenant key

If you use BYOK, you can't export your Azure Rights Management tenant key from Azure Key Vault or from the Azure Rights Management service. The copy in Azure Key Vault is non-recoverable.

Respond to a breach

No security system, no matter how strong, is complete without a breach response process. Your Azure Rights Management tenant key might be compromised or stolen. Even when it’s protected well, vulnerabilities might be found in current generation key technology or in current key lengths and algorithms.

Microsoft has a dedicated team to respond to security incidents in its products and services. As soon as there's a credible report of an incident, this team engages to investigate the scope, root cause, and mitigations. If this incident affects your assets, Microsoft notifies your tenant global administrators by email.

If you have a breach, the best action that you or Microsoft can take depends on the scope of the breach; Microsoft works with you through this process. The following table shows some typical situations and the likely response, although the exact response depends on all the information that is revealed during the investigation.