Prerequisites
- Azure subscription with permission to create Key Vaults, App registrations, and RBAC role assignments
- KnoxCall Owner or Admin role
Step 1: Create an Azure Key Vault and key
kms_key_ref:
Use the RBAC authorization model (
--enable-rbac-authorization true), not access policies. This is required for the Key Vault Crypto User role to work.Option A: App Registration + client secret env var
This option works for any deployment. The App Registration acts as KnoxCall’s identity in your Azure AD tenant.Step 2: Create an App Registration
In the Azure portal, go to Azure Active Directory → App registrations → New registration:- Name:
KnoxCall Tenant KMS - Supported account types: Single tenant
- No redirect URI needed
Step 3: Create a client secret
In the App Registration, go to Certificates & secrets → Client secrets → New client secret:- Description:
KnoxCall BYOK - Expires: 24 months (or per your policy)
client_secret_env_var you pass to the API is the variable name (AZURE_KC_CLIENT_SECRET), not the secret itself.
Step 4: Grant access to the key
Assign the Key Vault Crypto User role to the App Registration on the key vault:Step 5: Onboard via admin UI
- Go to Settings → Security, find the Tenant Master Key card, click Customer KMS, then Set up BYOK
- Select Azure Key Vault and click Next
- Fill in:
- Key Vault key URL —
https://my-knoxcall-kv.vault.azure.net/keys/tenant-wrapping-key - Vault URL —
https://my-knoxcall-kv.vault.azure.net - Entra tenant ID — your Directory (tenant) ID
- Client ID — the Application (client) ID
- Key Vault key URL —
- Click Next to review, then Confirm + activate
Step 6: Onboard via API
provider is "azure" (not "azure_key_vault"). There is no key_name in config — the key name is part of kms_key_ref.
Option B: Managed Identity (for self-hosted KnoxCall on Azure)
If you run a self-hosted KnoxCall on an Azure VM, App Service, AKS, or Container App with a system-assigned or user-assigned Managed Identity, you can grant that identity direct access to the vault.Step 2 (Option B): Grant Managed Identity access
Find your Managed Identity’s object ID and assign Key Vault Crypto User:Step 3 (Option B): Onboard via API
Whenclient_secret_env_var is omitted and no explicit client credentials are provided, KnoxCall uses DefaultAzureCredential which picks up the Managed Identity automatically via the Azure IMDS endpoint:
azure_tenant_id, client_id, and client_secret_env_var are all omitted — the Managed Identity is detected at runtime.
Verify the configuration
config.sealed_since is null and the keys array contains one active version.
Session duration impact
BYOK tenants have a 5-minute session TTL (vs 1 hour for standard tenants). Self-hosted proxy agents renew sessions every 4 minutes. Ensure your infrastructure does not block frequent outbound HTTPS to
api.knoxcall.com.Revoking access
To lock KnoxCall out within one cache TTL (5 minutes):- Remove the Key Vault Crypto User role assignment from the App Registration or Managed Identity, or
- Disable or delete the key in Key Vault
Troubleshooting
Forbidden / Authorization failed during verify:
- Confirm the App Registration or Managed Identity has
Key Vault Crypto Useron the vault (not just a key-level grant) - Check the vault has RBAC authorization enabled:
az keyvault show --name my-kv --query properties.enableRbacAuthorization
client_secret_env_var not found:
- The environment variable is not set on the KnoxCall server process
- The env var name is case-sensitive —
AZURE_KC_CLIENT_SECRET≠azure_kc_client_secret
- Managed Identity must be enabled on the Azure resource running KnoxCall (VM → Identity → On, or
--assign-identityflag) DefaultAzureCredentialqueries the IMDS endpoint athttp://169.254.169.254— ensure no firewall blocks it
InvalidKeySize or key operation error:
- Key Vault requires RSA 2048+ for wrap/unwrap operations
- Ensure the key was created with
--ops wrapKey unwrapKey(notencrypt decrypt— Azure uses different operations for RSA keys)
AWS KMS setup
Cross-account IAM role setup for AWS
GCP Cloud KMS setup
Service account impersonation for GCP
Sealed state and unseal
What to do when Key Vault becomes unreachable
Tenant KMS API reference
Full endpoint reference