Current Azure Key Vault FIPS 140-2 Level 2 proof

Harry, Christopher 20 Reputation points
2023-03-01T15:33:45.5233333+00:00

There was a similar (exact) question answered back in October of 2021, I'm not sure if things have changed since then so I figured I would ask just in case.

We are looking to use Key Vault for housing keys and the audit company needs the make, model and FIPS 140-2 Level 2 NIST certificates for the HSMs that are used to secure HSM-backed keys in the key vault (NOT via managed HSM).

Can that information be provided?

Thanks!

-Chris

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,452 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2023-03-02T23:51:46.5633333+00:00

    @Harry, Christopher

    Thank you for your detailed post!

    I understand that you're looking into leveraging the Azure Key Vault to store your Keys, Secrets, and Certificates. However, your Auditing company needs the make, model, and FIPS 140-2 Level 2 NIST certificates for the hardware security modules (HSMs) that're used to secure the HSM-backed keys. For more info - Azure key management services.

    From your issue, I reached out to our Key Vault engineering team and there's no change since the October 2021 question, but I did receive a response from their end which I'll share below.

    Key Vault service uses a mix of Thales nShield F2 6000+ and Marvell LiquidSecurity HSM cards in the backend for HSM functionality. They are FIPS 140-2 Level 2 or greater validated. The relevant NIST certificates are here (Cryptographic Module Validation Program | CSRC (nist.gov)) and here (Cryptographic Module Validation Program | CSRC (nist.gov)).

    This certificate is for the current generation of hardware/firmware. Microsoft regularly upgrades the hardware and firmware behind Azure Key Vault. It may change in future.

    It's important to mention that there is no direct access to the HSMs in Azure Key Vault Premium or Azure Key Vault Managed HSM today. We do document the HSMs we're using and their FIPS certificates as above-shared, however, providing some kind of attestation from the HSM of the HSM protecting keys in AKV Premium and MHSM is something we are considering in the future but not at the moment.

    I hope this helps!


    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.