Cloud Wallets

When building a blockchain application, it is often useful to have an operations or user wallet that can perform actions on the blockchain without direct human intervention. MultiBaas' Cloud Wallet feature integrates smart contract function calls with externally owned accounts (EOAs) managed by Microsoft Azure Key Vault.

When setting up Azure Key Vault, your Azure account's billing details must be configured with a valid credit card, or have credits that have not yet expired.

hsm-page

Requirements:

Add a new provider

To access your Cloud Wallet, in the Navigation bar go to Cloud Wallets, then click on Configuration. To add a new provider, click on the plus icon at the top of the left sidebar.

hsm-new-provider

Fill in the required inputs:

  • Label : A label to help you identify your cloud wallet
  • Client ID : The Application ID that will be accessing the Key Vault. Found in: Azure Portal > Sidebar > Azure Active Directory > App Registrations > Application ID column
  • Client Secret : The application’s secret key that you generate when you first register the application in Azure
  • Tenant ID : Also known as Directory ID. Found in: Azure Portal > Sidebar > Azure Active Directory > Properties > Directory ID
  • Subscription ID : The ID linked to your subscription to Azure services. Found in: Azure Portal > Sidebar > All Services > Subscriptions > Subscription ID column
  • Resource Group : The Resource Group Name for the resource being accessed. Found in: Azure Portal > Sidebar > All Resources > Resource Group column

Finally, click on Add Provider. You can now create or import wallets.

Create wallet

Click on the Add Wallet button, and select the Create Wallet tab.

hsm-add-wallet

Fill in the required details:

  • Vault Name : The Azure Key Vault name in which the key is going to be created. The Key Vault must exist and will not be created automatically. Found in: Azure Portal > Key Vaults
  • Key Name : The name of key to create
  • HSM-protected key : Create a "HSM-protected key" instead of a "software-protected key". ⚠️ Note that this option only works on Premium SKU (Pricing tier) Key Vaults and come at an additional cost.

Click on Create Wallet.

Import wallet

If you want to import an existing wallet that has previously been setup in Key Vault, click on the Add Wallet button, then select the Import Wallet tab.

hsm-import-wallet

Fill in the required inputs:

  • Vault Name : The Azure Key Vault name where the key resides. Found in: Azure Portal > Key Vaults
  • Key Name : The name of the key to import
  • Key Version : The version of key to import

Click on Import Wallet.

Powershell quickstart

Although Azure Key Vault can be configured through the web-based Azure portal, the initial process can be somewhat time consuming. We have developed a Powershell script to automate and streamline the process.

Setup

Open a Terminal window, and begin a Powershell session.

Copy
Copied
~ % pwsh
PowerShell 7.3.3
PS /Users/admin>

If you have not already done so, install the Az module.

Copy
Copied
Install-Module Az

Otherwise, ensure your Az module is up to date.

Copy
Copied
Update-Module -Name Az

If you see a message about trusting the module's repository, accept it to continue.

Copy
Copied
Untrusted repository
You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy
value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A

Next, import the module.

Copy
Copied
Import-Module Az

Finally, login with your Azure account.

Copy
Copied
Connect-AzAccount

This command will redirect you to the Azure login in your browser. If the login was successful, in the Powershell terminal, you should see output like this.

Copy
Copied
Account             SubscriptionName     TenantId                             Environment
-------             ----------------     --------                             -----------
[email protected] Azure subscription 1 ece31744-f3c9-4f17-affa-924189392509 AzureCloud

If you see a warning or an error, please confirm that Azure account is properly configured with valid billing details.

You may also confirm that you logged in successfully by checking your context

Copy
Copied
Get-AzContext

If you are properly logged in, you should see output like this.

Copy
Copied
Name                                      Account              SubscriptionName      Environment  TenantId
----                                      -------              ----------------      -----------  --------
Azure subscription 1 (55422a49-5111-485…  [email protected]  Azure subscription 1  AzureCloud   ece31744-f3c9-4f17-affa-924189392509

If the subscription name or Tenant ID is missing, it is very likely that login failed. Please confirm that your Azure account's billing has been setup with a valid payment method or free trial.

Creating a Key Vault

Now that everything has been setup, run the following commands in Powershell to create the cloud resources required to use HSM in MultiBaas.

Please copy the code line-by-line to ensure each step is successful before continuing onto the next.

Copy
Copied
# Pick a display name for the relevant cloud resources
$hsmIdentifier= "<PICK-SOMETHING-UNIQUE>”

# Any valid Azure availability zone should be fine
$location = "japaneast"

# Store IDs that are needed for later
$tenantId = (Get-AzContext).Tenant.Id
$subscriptionId = (Get-AzSubscription).Id

# Create an App Registration that will have permission to use the Key Vault
$sp = New-AzADServicePrincipal -DisplayName $hsmIdentifier -EndDate '2299-12-31' -Role Reader
$clientId = $sp.AppId
$clientSecret = $sp.PasswordCredentials.SecretText

# Create a resource group for the vault
New-AzResourceGroup -Name $hsmIdentifier -Location $location

# Create a new Key Vault
$keyVault = New-AzKeyVault -VaultName $hsmIdentifier -ResourceGroupName $hsmIdentifier -Location $location -Sku Standard

# Give the App Registration permission to use the vault
Set-AzKeyVaultAccessPolicy -VaultName $hsmIdentifier -ObjectId $sp.Id -PermissionsToKeys get, sign, create

# Finally, print the IDs that are required to configure MultiBaas
$clientId
$clientSecret
$tenantId
$subscriptionId
$hsmIdentifier
Copyright © Curvegrid 2022. All right reserved.