![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 68%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
Azure Dedicated HSM
An Azure service that provides hardware security module management.
27 questions
Thank you for your post!
I understand that you have a question regarding the ability to use your own custom proprietary block cipher algorithm with Azure Dedicated HSM. To hopefully point you in the right direction or resolve your issue, I'll share my findings below.
Findings:
To ensure I point you in the right direction, please understand that:
Azure Dedicated HSM is most suitable for “lift-and-shift” scenarios that require direct and sole access to HSM devices. However, Azure Dedicated HSM is not a good fit for Microsoft cloud services that support encryption with customer-managed keys (for example Azure Disk Encryption, Azure Storage, Azure SQL Database, etc.) that are not integrated with Azure Dedicated HSM. For more info.
When it comes to Azure Dedicated HSM, the only supported symmetric algorithms are:
- AES-GCM
- Triple DES
- DES
- ARIA, SEED
- RC2
- RC4
- RC5
- CAST
- Hash/Message Digest/HMAC: SHA-1, SHA-2, SM3
- Key Derivation: SP 800-108 Counter Mode
- Key Wrapping: SP 800-38F
- Random Number Generation: FIPS 140-2 approved DRBG (SP 800-90 CTR mode), complying with BSI DRG.4
Unfortunately it isn't possible to use your own symmetric cipher code with Azure Dedicate HSM. However, you can look into using the Azure Key Vault Managed HSM if you'd like to Generate HSM-protected keys in your on-premises HSM and import them securely to Azure. For more info.
- Please keep in mind, if you expect to use customer-managed keys for services integrated with Azure Key Vault (for example, Azure Disk encryption, Azure Storage, Azure SQL Database, etc.), then you must use hardware security modules (HSMs) and cryptography supported by Azure Key Vault.
I've also reached out to the Azure Dedicated HSM team to look into your issue and will update as soon as possible.
Additional Links:
- Is Azure Dedicated HSM right for you?
- Can I import keys from an existing On-premises HSM to Dedicated HSM?
- What cryptographic keys and algorithms are supported by Dedicated HSM?
- Import keys from your on-premises HSMs - Azure Key Vault Managed HSM
- Safeguarding of customer data - Can I use my own cryptography or encryption hardware?
I hope this helps!
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.