Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,098 questions
@MS Techie see above.
Difference- HSM protected keys in Vaults (VS) HSM-protected keys in Managed HSM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 71%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
MS Techie
2,676
Reputation points
While creating Azure VMs, we can keep the SSE encryption keys using Customer Managed Keys. We have 2 options when storing these CMK keys in HSM namely ( i know azure keyvault software based also supports CMK, but that is not my question . Mine is related to only HSM)
- HSM-protected keys in vaults (Premium SKU)
- HSM-protected keys in Managed HSM
- Azure Dedicated HSM What is the difference between 1 ,2 and 3.
i thought both option 1 and option 2 are same and related to Azure Key vault Premium SKU. what is difference ?
What is the difference between options (1), (2) and (3)
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,706 Reputation points Microsoft Employee2023-03-02T18:00:44.4966667+00:00 Hi MS Techie ,
Just checking to see if you were able to review the information in this post and get the answers you were looking for? If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar questions. Otherwise, please let us know how we can assist!
Sign in to comment
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFG%3C/text%3E%3C/svg%3E)
Fabian Gonzalez 501 Reputation points Microsoft Employee2023-03-01T04:24:00.7133333+00:00
3 additional answers
Sort by: Most helpful
-
Marilee Turscak-MSFT 33,706 Reputation points Microsoft Employee
2023-03-01T01:30:25.0933333+00:00 Hi MS Techie ,
I noticed that you listed three separate products in your written description from what you listed in your screenshot, so I'll go through the first list first. Here are the differences between the first three that you listed:- HSM-protected keys in vaults (Premium SKU) has a compliance of FIPS 140-2 Level 2 (lower security compliance than Managed HSM), and stores the cryptographic keys in vaults. Vaults support software-protected and HSM-protected keys, whereas Managed HSMs only support HSM-protected keys. Vaults are low-cost, easy to deploy, zone-resilient, highly available, and multi-tenant, whereas Managed HSMs are single-tenant, zone-resilient (where available), highly available, and useful for applications that have stringent security requirements.
- HSM-protected keys in Managed HSM has a compliance of FIPS 140-2 Level 3 (higher security compliance than vaults). Managed HSMs store the cryptographic keys in managed HSMs. Managed HSMs and only support HSM-protected keys. Managed HSMs are single-tenant, zone-resilient (where available), highly available, and useful for applications that have stringent security requirements, whereas vaults are low-cost, easy to deploy, zone-resilient, highly available, and multi-tenant.
- Azure Dedicated HSM is a product offering that provides cryptographic key storage in Azure. With Azure Dedicated HSM, you manage who in your organization can access your HSMs and the scope and assignment of their roles. It meets the most stringent security and compliance requirements and is essentially an HSM for lease service.
You can read more details about the first two options here. Note that according to FIPS compliance standards, "FIPS 140-2 is a standard which handles cryptographic modules and the ones that organizations use to encrypt data-at-rest and data-in-motion. FIPS 140-2 has 4 levels of security, with level 1 being the least secure, and level 4 being the most secure.
As for your screenshot from the pricing page, I believe that the difference between Hardware Security Module Protected Keys (Premium only) and Advanced Hardware Security Module Protected Keys (Premium only) is only the key type that you are using. Judging by the other pricing pages, this appears to be referring to the difference between Advanced key types and RSA 2048-bit keys, since these have different costs. Based on the table below this seems to be the case:
That said, I shared your screenshot with the product team since I agree that the wording is confusing, and I'll update this post if I'm wrong or missing any details about this. (EDIT: Confirmed that this is the case) It is also free to reach out to the sales/billing team for clarification on the pricing and offerings.
Regarding Managed HSM Pools, these are meant to provide highly available and zone resilient clusters to protect against hardware failure. The term "Managed HSM instance" is synonymous with "Managed HSM pool". Each Managed HSM pool/instance consists of a cluster of multiple HSM partitions. They support only HSM-backed keys and use FIPS 140-2 Level 3 validated HSMs. Let me know if this helps and if I addressed all of your questions.
If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar information.
-
Fabian Gonzalez 501 Reputation points Microsoft Employee
2023-03-01T04:26:46.4+00:00 @MS Techie I know it may be confusing to understand from the pricing page, but if you see the image below you may notice the difference:
In the HSM-protected keys category we have the following: RSA-HSM 2048 bits, RSA-HSM 3072 bits, RSA-HSM 4096 bits and ECC Keys.
The former is considered HSM-protected and the rest are Advanced HSM-protected. In sum up, 3K/4K RSA-HSM keys and ECC keys are considered advanced, where only 2K RSA-HSM key is 'not advanced'.
Above applies to AKV HSM-protected keys (Available only in Premium SKU) and answers #1 & #2 from your image.
The #3 in your image is for Managed HSM where we don't charge per key as Managed HSM does not use transactional payment model such as AKV. For Managed HSM the cost will be $3.20 per hourly usage.
About Azure Dedicated HSM (ADHSM) that's nothing our team (AKV) support, that's a different product and the screenshot from the pricing page you shared has nothing to do with ADHSM, it looks like you might have mixed the products, but the screenshot you shared applies to AKV and Managed HSM as explained above.
-
MS Techie 2,676 Reputation points
2023-04-21T13:06:00.4266667+00:00 The screenshot that i shared is straight from the azure pricing calculator for azure key vault
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 39%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Senthil Kumar Thangarajan 0 Reputation points2023-08-11T04:35:22.1333333+00:00 Hi All, I want to use AKV managed HSM for snowflake tri-secret secure encryption. Is it possible?