Configure an Azure Key Vault server to store your archive keystore

Updated

Overview

This article provides step-by-step instructions to configure Azure Key Vault with a Service Principal using a self-signed certificate and integrating it with CrashPlan as an external keystore.

Azure Key Vault securely stores secrets, keys, and certificates, while a Service Principal provides an application identity for accessing it. This procedure uses a self-signed certificate for authentication and integration with CrashPlan.

Process Flow

The process flow to configure an Azure Key Vault (AKV) server to store your archive keystore is as follows:

Create Key Vault

        ↓

Create Application Registration

        ↓

Firewall configuration 

  ↓

Upload Certificate

        ↓

Grant Permissions

        ↓

Configure CrashPlan Keystore

        ↓

Validate Connection

        ↓

Migrate Keys

Considerations

Our technical support engineers can assist you with migrating your keystore to your private, self-administered Vault. CrashPlan technical support cannot, however, provide assistance with Vault-specific tasks, such as upgrade, installation, configuration, networking, and exporting certificates. For assistance with Azure Vault, consult Microsoft Azure Key Vault documentation. 

1. Create Azure Key Vault

  1. Log in to the Microsoft Azure Portal.
  2. Navigate to Key Vaults → Create

  1. Configure the following:
    • Subscription
    • Resource Group
    • Key Vault Name (globally unique)
    • Region

  1. Under Access Configuration, select:
    • Azure role-based access control (RBAC) (recommended)

  1. Under Networking:
    • For Public Access, choose “Selected networks”
    • For Virtual Networks, choose “Add new virtual network” and enter the network details to access this vault. 

6. The deployment of the new Key Vault is complete. 



Result: Save the Vault URI: https://<vault-name>.vault.azure.net
This will be used to configure the CrashPlan keystore.

7. Under the new Key Vault configured, navigate to Settings -> Networking and add a firewall address.


NOTE:
To ensure proper CrashPlan backup and key management functionality, add the required CrashPlan IP addresses and domains to your firewall allowlist. For more information, see CrashPlan IP addresses, domains, and ports documentation.

You must also configure firewall rules to open an inbound port on your Azure Vault server that allows requests from the CrashPlan cloud. 
This connection enables the CrashPlan cloud to securely access encryption keys stored in your Azure Vault for encrypting and decrypting user backup data.

2. Create a Service Principal for CrashPlan to access Azure vault

The Service Principal provides an application identity for accessing the Azure Key Vault. This procedure uses a self-signed certificate for authentication and integration with CrashPlan.

NOTE: You can have your own certificate, these steps are optional.

1. Log in to the Azure Portal and select the Microsoft Entra ID.

  1. Navigate to Azure Active Directory → App registrations and select the Applications count.

  1. Click New registration.

  1. Configure the following:
    • Name of the Service Principal (key-vault-crashplan)
    • Supported account types: Default (Single tenant only)
  2. Click Register.

6. Record the following values to configure the client credentials:

  • Application (Client) ID
  • Directory (Tenant) ID

3. Uploading a Certificate

You can generate self-signed certificate by executing the following OpenSSL command:

openssl req -x509 -newkey rsa:4096 -keyout service-principal.key -out service-principal.crt -days 365 -nodes

Output

  • Private key: service-principal.key
  • Certificate: service-principal.crt

NOTE: Alternatively, a certificate from a public certificate authority can be provided.

3.1 Upload to App Registration
  1. Go to App registrations  → key-vault-crashplan → Manage → Certificates & secrets
  2. Click Upload certificate.

  3. Select the generated certificate file for upload (.cer or .pem


Result: The certificate is successfully uploaded and associated with the application.
 

3.2 Granting Service Principal Permissions
  1. Navigate to Key Vault → Certificates and select the certificate to upload.

  2. Under Access control (IAM) and click Add role assignment.

  1. Choose the Key Vault Secrets Officer role and click Next.



  2. Click Select Members.


  3. Search for and select the previously created Service Principal.


  4. Click Review + assign


Result: The Service Principal is granted the required permissions to access secrets.


4. Register the created Azure Key Vault with CrashPlan

Generate a secure .pfx file containing the certificate and private key generated in Step 3 and record the exact password securely.

openssl pkcs12 -export -out service-principal.pfx -inkey service-principal.key -in service-principal.crt

5. Migrate Keys

To migrate keys:

  1. Go to CrashPlan → Keystore settings
  2. Select Migrate keystore
  3. Choose:
    • Self-administered (Azure Key Vault)
  4. Re-enter:
    • Vault URL
    • Certificate
    • Password
  5. Confirm migration. 

NOTE: After initiating the key store migration, do not modify any Azure Key Vault settings configured through these steps. Wait for the key migration process to complete before making any changes.

Result: Encryption keys are securely stored in Azure Key Vault.

Implementation is complete when:

  • CrashPlan successfully uses Azure Key Vault
  • Keys are migrated and accessible
  • Backup and restore operations function correctly
Was this article helpful?
0 out of 0 found this helpful