Azure Dedicated HSM - custom cipher algorithm

Darhani, David 0 Reputation points
2023-08-22T16:46:35.75+00:00

We want to deploy a cloud data encryption service for symmetric encryption. We use our custom proprietary block cipher algorithm.

Is there a way to use our own symmetric cipher code with Azure Dedicated HSM secure key storage and encryption service?

Azure Dedicated HSM
Azure Dedicated HSM
An Azure service that provides hardware security module management.
27 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,531 Reputation points Microsoft Employee
    2023-08-23T19:47:54.7+00:00

    @Darhani, David

    Thank you for your post!

    I understand that you have a question regarding the ability to use your own custom proprietary block cipher algorithm with Azure Dedicated HSM. To hopefully point you in the right direction or resolve your issue, I'll share my findings below.


    Findings:

    To ensure I point you in the right direction, please understand that:

    Azure Dedicated HSM is most suitable for “lift-and-shift” scenarios that require direct and sole access to HSM devices. However, Azure Dedicated HSM is not a good fit for Microsoft cloud services that support encryption with customer-managed keys (for example Azure Disk Encryption, Azure Storage, Azure SQL Database, etc.) that are not integrated with Azure Dedicated HSM. For more info.

    When it comes to Azure Dedicated HSM, the only supported symmetric algorithms are:

    • AES-GCM
    • Triple DES
    • DES
    • ARIA, SEED
    • RC2
    • RC4
    • RC5
    • CAST
    • Hash/Message Digest/HMAC: SHA-1, SHA-2, SM3
    • Key Derivation: SP 800-108 Counter Mode
    • Key Wrapping: SP 800-38F
    • Random Number Generation: FIPS 140-2 approved DRBG (SP 800-90 CTR mode), complying with BSI DRG.4

    Unfortunately it isn't possible to use your own symmetric cipher code with Azure Dedicate HSM. However, you can look into using the Azure Key Vault Managed HSM if you'd like to Generate HSM-protected keys in your on-premises HSM and import them securely to Azure. For more info.

    • Please keep in mind, if you expect to use customer-managed keys for services integrated with Azure Key Vault (for example, Azure Disk encryption, Azure Storage, Azure SQL Database, etc.), then you must use hardware security modules (HSMs) and cryptography supported by Azure Key Vault.

    I've also reached out to the Azure Dedicated HSM team to look into your issue and will update as soon as possible.


    Additional Links:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.


    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.