question

MichaelHathaway-1756 avatar image
0 Votes"
MichaelHathaway-1756 asked JamesTran-MSFT answered

Azure Key Vault FIPS 140-2 Level 2 proof

Hello Everyone,

I am looking to use Key Vault for a public trust environment and need to prove to an auditor that I am using the FIPS 140-2 Level 2 Azure Key Vault, the are not willing to accept the billing or product details and need to see a powershell output that proves the key vault is operating in FIPS mode and to the right level, commercial HSM product from Thales Luna and Entrust nShield offer this off of the shelf, how is this achieved with Azure KeyVaul Please?

Thanks in advance.

Michael

azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered JamesTran-MSFT commented

@MichaelHathaway-1756
Thank you for your post!

I don't believe there are any Az.KeyVault PowerShell commands that display the FIPS 140-2 Level 2 output. However, I did find some documentation that mentions Azure Key Vault uses nCipher HSMs, which are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated...


For more info:
Securely store secrets and keys
Key Vault roles


I've also reached out to our Azure Key Vault SMEs to see if there are any other way we can see this information and will update as soon as possible.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JamesTran-MSFT,

Thanks for the response, yes, I am aware that the services uses nCipher HSM's which are FIPS certified, however, Azure also offers FIPS 140-2 Level 1 software protected keys and as there is no apparent commend to reveal what you are using, auditors are reluctant to sign off on the fact that you are using HSM protected keys, the issue comes from the following page:

https://docs.microsoft.com/en-us/azure/key-vault/keys/about-keys

COMPLIANCE

Key type and destination Compliance
Software-protected keys in vaults (Premium & Standard SKUs) FIPS 140-2 Level 1
HSM-protected keys in vaults (Premium SKU) FIPS 140-2 Level 2
HSM-protected keys in Managed HSM FIPS 140-2 Level 3

It is important to be able to show the compliance level you are operating at if you want to be able to host a publicly trusted certificate.

0 Votes 0 ·

@MichaelHathaway-1756
Thank you for the quick follow up and for providing these additional details!

I've passed this along to our KV engineering team and will update as soon as I receive a response from their end.


If you have any other questions in the meantime, please let me know.
Thank you for your time and patience throughout this issue.

0 Votes 0 ·
JamesTran-MSFT avatar image
0 Votes"
JamesTran-MSFT answered

@MichaelHathaway-1756
Thank you for your time and patience!

KV team update: Compliance
141486-image.png
As you can see from the screenshot and within our About keys documentation, Software-protected keys are FIPS 140-2 level 1 protected and Hardware-protected keys are FIPS 140-2 level 2.

Software protected keys:
RSA and EC

Hardware-protected keys:
RSA-HSM and EC-HSM (notice they have the '-HSM' identifier)

When creating your Keys within a Standard Vault, you'll notice that the only available options are RSA, EC. However, if you do this in a Premium KV, you'll see 2 more options - (hardware-protected keys) RSA-HSM and EC-HSM.
141495-image.png

Within the portal you can click on the key and select it's version to see the key type of EC or RSA (software keys), or RSA-HSM/EC-HSM (hardware keys). You will see the same information being displayed on PS/CLI when you run the get key commands.
141469-image.png

The HSMs used for our hardware-protected keys use these certificates and you can see the FIPS compliance level from there. HSM Model is Thales nShield Solo F2 6000+. The corresponding NIST certificates as follows - Certificate #2643 & Certificate #2121



As of right now, there's no specific command or REST API that specifically displays the FIPS 140-2 Level 2 output.


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


image.png (17.8 KiB)
image.png (30.6 KiB)
image.png (9.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.