Share via

How do we prove to Security Auditors that Microsoft is using "FIPS 140-2 Level 2 validated HSMs" for Azure Key Vault (Premium)

M Kumar 10 Reputation points
2024-02-23T12:35:10.3633333+00:00

Hello Support, Could you please clarify the following:

  1. How do we prove to Security Auditors that Microsoft is actually using "FIPS 140-2 Level 2 validated HSMs" for storing keys in Azure Key Vault (PREMIUM) service? How do we prove that private keys are safe and never leave Key Vault ?
  2. Please provide the manufacturer and model details of the actual HSM modules being used for storing keys in Azure Key Vault (Premium) service.
  3. We are looking for CMVP (Cryptographic Module Validation Program) NIST certificate like the certificate issued for AWS Key Management Service HSM modules (https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4177). Could you provide NIST CMVP certificate details for Azure Key Vault (Premium) service?

Thank you,
Kumar Marisetti

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fabian Gonzalez 501 Reputation points Microsoft Employee
    2024-03-14T04:03:44.9566667+00:00

    @Kumar Marisetti

    How do we prove to Security Auditors that Microsoft is actually using "FIPS 140-2 Level 2 validated HSMs" for storing keys in Azure Key Vault (PREMIUM) service? How do we prove that private keys are safe and never leave Key Vault ?

    ANSWER:
    If your premium HSM keys have hsmPlatform 1, they are FIPFS 140-2 level 2 compliant, while if they have hsmPlatform 2, the keys will be FIPS 140-2 level 3 compliant following our recent announcement: General availability: Improvements in Azure Key Vault | Azure updates | Microsoft AzureThe way you may prove the above mentioned is because the premium HSM keys in KV are identified  with a '-HSM' at the end of their KeyType, which means the key is HSM-protected. For instance, if you look on the portal at the key details, the Key Type should be RSA-HSM or EC-HSM, not RSA or EC because the latter denotes the keys are Software-protected. You may also get info about the KeyType via Azure PowerShell, CLI, API, etc.

    Now, the way you prove keys aren’t exportable is because if you try to download the key from the GUI or any other interface, it will let you download the public key only, but you will never have the whole keypair as the private key never leaves the service. The only exception is when you are using: Secure Key Release with Azure Key Vault and Azure Confidential Computing | Microsoft Learn

    External audits such as FedRAMP and PCI validate our use of HSMs and their CMVP certificates.

    Please provide the manufacturer and model details of the actual HSM modules being used for storing keys in Azure Key Vault (Premium) service. We are looking for CMVP (Cryptographic Module Validation Program) NIST certificate like the certificate issued for AWS Key Management Service HSM modules (https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4177).

    Could you provide NIST CMVP certificate details for Azure Key Vault (Premium) service?

    ANSWER:
    hsmPlatform 1: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/Certificate/2643 - these are nCipher nShield models.
    hsmPlatform 2: https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/3718 - these are Marvell models.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.