Key Vault HSM

George L. Hickox 1 Reputation point

My understanding is there are currently four options with Azure Key Vault / HSM to protect your keys.

a) Key Vault Software Protected Keys (Standard Pricing)
b) Key Vault HSM Protected Keys (Premium Pricing)
c) Key Vault managed-HSM , own HSM partition
d) Dedicated HSM (no Key Vault)

obviously with option a the keys are not protected / stored within a HSM
specially for the other options, I am very interested to have a documentation or "official" statement on the key handling using the options azure offers via CLI / web interface and explicitly not considering some BYO key scenario.

  1. generated (within HSM, outside HSM and imported)
  2. operation performed within HSM or outside HSM (eg.: hashing, encryption)
  3. is the key exportable from the HSM , if not how to validate this (eg.: key attributes?)

basically I am not able to find answers online to these questions and I am not able to validate this myself as the web interface only allow limited access anyhow.

most documentation refers to BYO key where obviously proterties can be set and validated outside Azure , but I don't own HSM myself, so the BYO option is not applicable or feasible.

it would be really nice to get some statement / documentation that can be taken as evidence, for the key not able to leave the HSM and all operations are performaed within the HSM

feel free to ask questions if something is not clear, many thanks and regards

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,183 questions
Azure Dedicated HSM
Azure Dedicated HSM
An Azure service that provides hardware security module management.
27 questions
{count} votes