The KEK (Key Exchange Key) is an RSA key, generated in the Key Vault. KEK must be:
-
An RSA-HSM key (2048-bit or 3072-bit or 4096-bit).
-
Generated in the same key vault where you intend to import the tenant key to.
-
Created with the allowed key operations set to import.