Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,115 questions
Key Vault HSM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 28.999999999999996%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGL%3C/text%3E%3C/svg%3E)
George L. Hickox
1
Reputation point
My understanding is there are currently four options with Azure Key Vault / HSM to protect your keys.
a) Key Vault Software Protected Keys (Standard Pricing)
b) Key Vault HSM Protected Keys (Premium Pricing)
c) Key Vault managed-HSM , own HSM partition
d) Dedicated HSM (no Key Vault)
obviously with option a the keys are not protected / stored within a HSM
specially for the other options, I am very interested to have a documentation or "official" statement on the key handling using the options azure offers via CLI / web interface and explicitly not considering some BYO key scenario.
- generated (within HSM, outside HSM and imported)
- operation performed within HSM or outside HSM (eg.: hashing, encryption)
- is the key exportable from the HSM , if not how to validate this (eg.: key attributes?)
basically I am not able to find answers online to these questions and I am not able to validate this myself as the web interface only allow limited access anyhow.
most documentation refers to BYO key where obviously proterties can be set and validated outside Azure , but I don't own HSM myself, so the BYO option is not applicable or feasible.
it would be really nice to get some statement / documentation that can be taken as evidence, for the key not able to leave the HSM and all operations are performaed within the HSM
feel free to ask questions if something is not clear, many thanks and regards
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee2021-10-06T23:34:11.51+00:00 With Key Vault, Microsoft doesn’t see or extract your keys. This is covered in the product overview. If you would like to discuss this further, feel free to send me an email (added in the private comment below).
-
George L. Hickox 1 Reputation point
2021-10-07T04:58:59.84+00:00 many thanks for you response (I can't find a private comment unfortunately)
the statement in the product overview about " MSF doesn't see or extract your keys" is a good start but very high level and eg. for software protected keys I trust you don't see or extract the key, still one would be able to do so. therefor HSM protected keys with premium Key Vault exists. In case I mark a key not extractable during creation I can't download the private key within web console, but I don't have any way to validate (eg. based on key attributes) that the key is in fact created within HSM and all operation have to happen in HSM as the key is not extractable. so for me the audit trail, or evidence that a HSM protected key really is inside hSM and also MSF can't extract it is rather weak or non existence if we ignore mostly marketing statements like the one in the product overview.
Sign in to comment