Skip to main content
This guide walks you through creating an Azure Key Vault and key, granting KnoxCall access, and onboarding it as your tenant’s wrapping key. Two authentication paths are available:

Prerequisites

  • Azure subscription with permission to create Key Vaults, App registrations, and RBAC role assignments
  • KnoxCall Owner or Admin role
The client_secret_env_var field accepts the name of an environment variable set on the KnoxCall server — the actual secret value is read at runtime and is never stored in the database. This is enforced server-side. Passing a raw client secret value as the field value is rejected.

Step 1: Create an Azure Key Vault and key

Note the vault key URL — you’ll use it as kms_key_ref:
Use the RBAC authorization model (--enable-rbac-authorization true), not access policies. This is required for the Key Vault Crypto User role to work.

Option A: App Registration + client secret env var

This option works for any deployment. The App Registration acts as KnoxCall’s identity in your Azure AD tenant.

Step 2: Create an App Registration

In the Azure portal, go to Azure Active Directory → App registrations → New registration:
  • Name: KnoxCall Tenant KMS
  • Supported account types: Single tenant
  • No redirect URI needed
Note the Application (client) ID and Directory (tenant) ID.

Step 3: Create a client secret

In the App Registration, go to Certificates & secrets → Client secrets → New client secret:
  • Description: KnoxCall BYOK
  • Expires: 24 months (or per your policy)
Note the secret value immediately — you’ll set it as a server-side environment variable. It won’t be shown again. Set the secret on the KnoxCall server environment:
The value of client_secret_env_var you pass to the API is the variable name (AZURE_KC_CLIENT_SECRET), not the secret itself.

Step 4: Grant access to the key

Assign the Key Vault Crypto User role to the App Registration on the key vault:

Step 5: Onboard via admin UI

  1. Go to Settings → Security, find the Tenant Master Key card, click Customer KMS, then Set up BYOK
  2. Select Azure Key Vault and click Next
  3. Fill in:
    • Key Vault key URLhttps://my-knoxcall-kv.vault.azure.net/keys/tenant-wrapping-key
    • Vault URLhttps://my-knoxcall-kv.vault.azure.net
    • Entra tenant ID — your Directory (tenant) ID
    • Client ID — the Application (client) ID
  4. Click Next to review, then Confirm + activate

Step 6: Onboard via API

Note: provider is "azure" (not "azure_key_vault"). There is no key_name in config — the key name is part of kms_key_ref.

Option B: Managed Identity (for self-hosted KnoxCall on Azure)

If you run a self-hosted KnoxCall on an Azure VM, App Service, AKS, or Container App with a system-assigned or user-assigned Managed Identity, you can grant that identity direct access to the vault.

Step 2 (Option B): Grant Managed Identity access

Find your Managed Identity’s object ID and assign Key Vault Crypto User:

Step 3 (Option B): Onboard via API

When client_secret_env_var is omitted and no explicit client credentials are provided, KnoxCall uses DefaultAzureCredential which picks up the Managed Identity automatically via the Azure IMDS endpoint:
azure_tenant_id, client_id, and client_secret_env_var are all omitted — the Managed Identity is detected at runtime.

Verify the configuration

Confirm config.sealed_since is null and the keys array contains one active version.

Session duration impact

BYOK tenants have a 5-minute session TTL (vs 1 hour for standard tenants). Self-hosted proxy agents renew sessions every 4 minutes. Ensure your infrastructure does not block frequent outbound HTTPS to api.knoxcall.com.

Revoking access

To lock KnoxCall out within one cache TTL (5 minutes):
  1. Remove the Key Vault Crypto User role assignment from the App Registration or Managed Identity, or
  2. Disable or delete the key in Key Vault
Within 5 minutes, the tenant enters the sealed state. No data is lost — you can unseal at any time by restoring the role assignment.

Troubleshooting

Forbidden / Authorization failed during verify:
  • Confirm the App Registration or Managed Identity has Key Vault Crypto User on the vault (not just a key-level grant)
  • Check the vault has RBAC authorization enabled: az keyvault show --name my-kv --query properties.enableRbacAuthorization
client_secret_env_var not found:
  • The environment variable is not set on the KnoxCall server process
  • The env var name is case-sensitive — AZURE_KC_CLIENT_SECRETazure_kc_client_secret
Managed Identity not detected:
  • Managed Identity must be enabled on the Azure resource running KnoxCall (VM → Identity → On, or --assign-identity flag)
  • DefaultAzureCredential queries the IMDS endpoint at http://169.254.169.254 — ensure no firewall blocks it
InvalidKeySize or key operation error:
  • Key Vault requires RSA 2048+ for wrap/unwrap operations
  • Ensure the key was created with --ops wrapKey unwrapKey (not encrypt decrypt — Azure uses different operations for RSA keys)

AWS KMS setup

Cross-account IAM role setup for AWS

GCP Cloud KMS setup

Service account impersonation for GCP

Sealed state and unseal

What to do when Key Vault becomes unreachable

Tenant KMS API reference

Full endpoint reference