FAQ about Azure Cloud HSM

Find answers to common questions about Microsoft Azure Cloud HSM.

General questions

What is Azure Cloud HSM?

Microsoft Azure Cloud HSM is a service that provides secure storage for cryptographic keys by using hardware security modules (HSMs) that meet the FIPS 140-3 Level 3 security standard. It's a customer-managed, single-tenant, highly available service that complies with industry standards.

Azure Cloud HSM supports various applications, including PKCS#11, offloading of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) processing, certificate authority (CA) private key protection, and transparent data encryption (TDE). It also supports document and code signing.

Azure Cloud HSM provides high availability and redundancy by grouping multiple HSMs into a cluster and automatically synchronizing across three HSM instances. The HSM cluster supports load balancing of cryptographic operations. Periodic HSM backups help ensure secure and simple data recovery. For more information, see What is Azure Cloud HSM?.

What is an HSM?

A hardware security module (HSM) is a physical computing device that's designed to protect and administer cryptographic keys. Within HSMs, keys are securely stored and used for cryptographic operations. Tamper-resistant and tamper-evident hardware modules help ensure the confidentiality and integrity of those keys. Access to the keys is restricted to authenticated and authorized applications, so the key material always remains within the protected boundary of the HSM. For more information, see Secure your Azure Cloud HSM deployment.

What hardware is used for Azure Cloud HSM?

Azure Cloud HSM uses Marvell LiquidSecurity hardware security modules. For more information about service specifications, see Azure Cloud HSM service limits.

What software is provided with Azure Cloud HSM?

Microsoft supplies all software and tools for Azure Cloud HSM through its SDK. You can download the Azure Cloud HSM SDK from GitHub. For more information about integration options, see Azure Cloud HSM integration guides.

Do I need to manage the firmware on my HSM?

No, Microsoft oversees the firmware on the hardware. A third party (the HSM manufacturer) maintains the hardware. NIST evaluates the firmware and must sign it to ensure compliance with FIPS 140-3 Level 3 standards. For more information about hardware management, see What is Azure Cloud HSM?.

How do I decide whether to use Azure Cloud HSM or Azure Managed HSM?

Azure offers multiple solutions for cryptographic key storage and management in the cloud: Azure Key Vault (standard and premium offerings), Azure Managed HSM, Azure Cloud HSM, and Azure Payment HSM. It can be overwhelming for customers to decide which solution is best for them. A flowchart, based on common high-level requirements and key management scenarios, is available to help customers make this decision. See How to choose the right key management solution.

What usage scenarios best suit Azure Cloud HSM?

Azure Cloud HSM is best suited for migration scenarios, when you're migrating on-premises applications that are already using HSMs to Azure. Azure Cloud HSM provides a low-friction option to migrate to Azure with minimal changes to the application.

If cryptographic operations are performed in an application's code running in an Azure virtual machine or web app, an organization can use Cloud HSM. In general, shrink-wrapped software running in infrastructure as a service (IaaS) models that support HSMs as a key store can use Cloud HSM. This software includes:

• Active Directory Certificate Services (AD CS).
• SSL/TLS offloading for NGINX and Apache.
• Tools and applications used for document signing.
• Code signing.
• Java applications that require a Java Cryptography Extension (JCE) provider.
• Microsoft SQL Server TDE (IaaS) through Extensible Key Management (EKM).
• Oracle TDE.

For more information about implementing these scenarios, see Azure Cloud HSM integration guides.

Can Azure Cloud HSM host my HSMs for me?

No. Microsoft doesn't support "bring your own HSM." Azure Cloud HSM can't host any customer-provided devices. For more information about the service architecture, see What is Azure Cloud HSM?.

Can I migrate my keys in Azure Dedicated HSM to Azure Cloud HSM?

Yes, but it depends on your architecture and configuration. If your Dedicated HSM deployment is configured in a high-availability (HA) grouping, you can't migrate keys. The reason is that key export is disabled to allow for key cloning (HA grouping), and changing those attributes is a destructive process. If your Dedicated HSM deployment is configured in an HA grouping, you must create new keys when migrating to Azure Cloud HSM. For more information about key management, see Key management in Azure Cloud HSM.

Customer onboarding

Does Azure Cloud HSM have a monetary policy for onboarding?

No, Azure Cloud HSM doesn't have a monetary policy. Onboarding Azure Cloud HSM is open to all customers. For more information about getting started, see Azure Cloud HSM onboarding guide.

Billing

How am I charged and billed for my use of Azure Cloud HSM?

You incur an hourly fee for each Azure Cloud HSM cluster, which consists of three nodes. After you provision a Cloud HSM resource, it remains continuously active (always on). Billing starts when you provision a resource, rather than when you finish initializing the HSM resource. For more information about deployment options, see Deploy Azure Cloud HSM by using PowerShell or Deploy Azure Cloud HSM by using the Azure portal.

What extra costs might I incur with the Azure Cloud HSM service?

Azure Cloud HSM requires a network infrastructure, such as a virtual network and a private endpoint. It also requires resources such as virtual machines for device configuration. These resources incur extra costs and are not included in the Azure Cloud HSM service pricing. For more information about network requirements, see Network security for Azure Cloud HSM.

Does the Azure Cloud HSM service have a free tier?

No, a free tier is not available for Azure Cloud HSM. For more information about service offerings, see What is Azure Cloud HSM?.

Interoperability

What operating systems does Azure Cloud HSM SDK support?

• Windows Server 2016, 2019, and 2022
• Linux (Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, RHEL 7, RHEL 8, and RHEL 9)
• CBL Mariner 2

For more information about compatibility and troubleshooting, see Troubleshoot Azure Cloud HSM.

How do I manage Azure Cloud HSM?

You manage your service deployment by accessing your Azure Cloud HSM cluster via Secure Shell (SSH) and the Azure Cloud HSM SDK from GitHub. For more information about management operations, see User management in Azure Cloud HSM.

How does my application connect to Azure Cloud HSM?

The Azure Cloud HSM SDK contains software and tools to execute cryptographic operations within applications. Azure Cloud HSM supports various interfaces, including PKCS#11, OpenSSL, JCE, key storage provider (KSP), and Cryptography API: Next Generation (CNG). The range of tools in the SDK enables seamless interaction with your HSM.

You can download the Azure Cloud HSM SDK from GitHub. For more information about connectivity methods, see Authentication in Azure Cloud HSM.

Does Azure Cloud HSM support password-based and PED-based authentication?

Azure Cloud HSM supports only password-based authentication. It doesn't support authentication through a PIN entry device (PED). For more information about authentication methods, see Authentication in Azure Cloud HSM.

Can an application connect to Azure Cloud HSM from a different virtual network within a region or across regions?

Yes. Use virtual network peering within a region to establish connectivity across virtual networks. For cross-region connectivity, use global virtual network peering or a VPN gateway. For more information about network configurations, see Network security for Azure Cloud HSM.

Does Azure Cloud HSM work with on-premises HSMs?

No. Although Azure Cloud HSM doesn't directly interoperate with on-premises HSMs, you can securely transfer exportable keys between Azure Cloud HSM and most commercial HSMs by using one of several supported key-wrap methods. For more information about key management, see Key management in Azure Cloud HSM.

Can I use keys stored in Azure Cloud HSM to encrypt data that other Azure services use?

No. Azure Cloud HSM clusters are accessible only from inside your virtual network. For more information about service limitations, see What is Azure Cloud HSM?.

Can I use Azure Cloud HSM with Microsoft Purview Customer Key, Azure Information Protection, Azure Data Lake Storage, Azure Disk Encryption, or Azure Storage encryption?

No. Azure Cloud HSM is provisioned directly into your private IP address space, so other Azure or Microsoft services can't access it. For more information about service capabilities and limitations, see What is Azure Cloud HSM?.

Can I import keys from existing on-premises HSMs to Azure Cloud HSM?

Yes. There are multiple methods for bring your own key (BYOK) and having on-premises HSMs that allow key export (key wrap). For more information about key import operations, see Key management in Azure Cloud HSM.

Can I install functionality modules in Azure Cloud HSM?

No. The Azure Cloud HSM service doesn't support functionality modules. For more information about service capabilities, see Azure Cloud HSM service limits.

Can I update the partition owner certificate after I upload it?

No. You can't change the partition owner certificate after you upload it. If you upload PO.crt in error, you need to delete your Azure Cloud HSM resource and deploy again.

Business continuity

Can I restore a backup to the source Azure Cloud HSM resource?

No. You can't restore a backup to its source Azure Cloud HSM resource because it's in an activated state. For more information about backup and restore operations, see Backup and restore in Azure Cloud HSM.

Can I restore a backup to another destination Azure Cloud HSM resource that's in an activated state?

No. Azure Cloud HSM doesn't support restoring a backup to its source HSM or any Cloud HSM resource that's already activated. Otherwise, the restore operation will fail and put the destination Cloud HSM resource in a nonfunctional state. For more information about the restoration process, see Restoration guidelines for Azure Cloud HSM.

Can I restore a backup to another Azure Cloud HSM resource in a different region?

Yes. You can restore a backup to another Azure Cloud HSM resource in any region, if the destination Cloud HSM resource is not in an activated state. For more information about cross-region restoration, see Cross-region recovery for Azure Cloud HSM.

Can I create more than one managed identity per Azure Cloud HSM cluster?

No. Only one managed identity is allowed per Azure Cloud HSM cluster. For more information about identity and access management, see Apply a managed identity and create a storage account.

Can I apply more restrictive read/write permissions for my source and destination for backups?

Yes. The minimum role-based access control (RBAC) role required is Storage Blob Data Contributor. You can restrict the source as read-only, but you need read/write permissions on the destination. For more information about access control, see Apply a managed identity and create a storage account.

Security and compliance

Do I share my Azure Cloud HSM resource with other Azure customers?

No. With Azure Cloud HSM, you have exclusive administrative access to your HSM as a single tenant. For more information about the service architecture, see What is Azure Cloud HSM?.

Can Microsoft or anyone at Microsoft access keys in my Azure Cloud HSM resource?

No. Microsoft does not have any access to the keys stored in customer-allocated HSMs. For more information about security controls, see Secure your Azure Cloud HSM deployment.

How does Microsoft manage the HSM without having access to my encryption keys?

In the architecture of Azure Cloud HSM, separation of duties and role-based access control are fundamental principles. Microsoft does not have any cryptographic control over customer-allocated HSMs or control over the HSM's users, other than its own limited role as appliance user.

Microsoft has restricted permissions to the HSM. These permissions allow monitoring, maintenance of health and availability, encrypted backups, and extraction and publication of immutable audit logs to the customer's specified storage. These permissions don't allow Microsoft to use keys owned by cryptography users to perform cryptographic operations. For more information about operational logging, see Configure and query operation event logging for Azure Cloud HSM.

Does Azure Cloud HSM store customer data?

No, Azure Cloud HSM doesn't retain customer data. All key materials and data are housed within the customer's HSM. Each Azure Cloud HSM cluster is exclusively designated for a single customer who has administrative control. For more information about data protection, see Secure your Azure Cloud HSM deployment.

Does Azure Cloud HSM support FIPS 140-3 Level 3?

Yes, Azure Cloud HSM offers HSMs that are validated to meet the FIPS 140-3 Level 3 standards. For procedures to verify the authenticity of your HSM, including checking the FIPS 140-3 Level 3 certification from NIST, refer to the onboarding guide. For more information about compliance, see What is Azure Cloud HSM?.

Does Azure Cloud HSM support eIDAS?

Yes. Azure Cloud HSM supports eIDAS compliance under the Austrian scheme by providing secure key management, cryptographic operations, and FIPS 140-3 Level 3 validated hardware to meet stringent requirements for qualified electronic signatures and seals, to help ensure regulatory compliance. Learn more in the QSCD Certificate. For more information about security standards, see Secure your Azure Cloud HSM deployment.

What happens if someone tampers with the HSM hardware?

Azure Cloud HSM incorporates both physical and logical tamper detection and response mechanisms that initiate key deletion (zeroization) of the hardware. These measures are designed to detect tampering if the physical barrier is compromised.

Additionally, HSMs are safeguarded against brute-force sign-in attacks. The system locks out cryptography officers (COs) after a set number of unsuccessful access attempts. Similarly, repeated unsuccessful attempts to access an HSM with cryptography user (CU) credentials result in locking out the user. A CO must then unlock the CU. Unlocking a CO requires getChallenge and signing the challenge with PO.key via OpenSSL, followed by unlockCO and changePswd commands. For more information about security features, see Secure your Azure Cloud HSM deployment.

Support

How do I get support for Azure Cloud HSM?

Microsoft facilitates all support for Azure Cloud HSM. If you encounter any problems related to hardware, software, HSM configuration, or network access, submit a support request to Microsoft. For more information about common problems and solutions, see Troubleshoot Azure Cloud HSM.

How are the HSMs used in Azure Cloud HSM protected?

Azure datacenters have extensive physical and procedural security controls. Additionally, the HSMs in Azure Cloud HSM are hosted in a restricted access area of the datacenter, with physical access controls and video surveillance for added security. For more information about physical security, see Secure your Azure Cloud HSM deployment.

Can Microsoft recover my keys if I lose the credentials to my HSM?

No. Microsoft doesn't have access to your keys or credentials and can't recover your keys if you lose your credentials. For more information about credential management, see User management in Azure Cloud HSM.

Does Azure Cloud HSM have scheduled maintenance windows?

No, although Microsoft might need to perform maintenance for necessary upgrades or faulty hardware. We notify customers in advance if we anticipate any impact. For more information about operational considerations, see Secure your Azure Cloud HSM deployment.

What is the SLA for Azure Cloud HSM?

For service-level agreements, see Service Level Agreements (SLAs) for Online Services. For more information about service reliability, see What is Azure Cloud HSM?.

Find answers to common questions about Microsoft Azure Cloud HSM.

Microsoft Azure Cloud HSM is a service that provides secure storage for cryptographic keys by using hardware security modules (HSMs) that meet the FIPS 140-3 Level 3 security standard. It's a customer-managed, single-tenant, highly available service that complies with industry standards.

Azure Cloud HSM supports various applications, including PKCS#11, offloading of Secure Sockets Layer (SSL) or Transport Layer Security (TLS) processing, certificate authority (CA) private key protection, and transparent data encryption (TDE). It also supports document and code signing.

Azure Cloud HSM provides high availability and redundancy by grouping multiple HSMs into a cluster and automatically synchronizing across three HSM instances. The HSM cluster supports load balancing of cryptographic operations. Periodic HSM backups help ensure secure and simple data recovery. For more information, see What is Azure Cloud HSM?.

A hardware security module (HSM) is a physical computing device that's designed to protect and administer cryptographic keys. Within HSMs, keys are securely stored and used for cryptographic operations. Tamper-resistant and tamper-evident hardware modules help ensure the confidentiality and integrity of those keys. Access to the keys is restricted to authenticated and authorized applications, so the key material always remains within the protected boundary of the HSM. For more information, see Secure your Azure Cloud HSM deployment.

Azure Cloud HSM uses Marvell LiquidSecurity hardware security modules. For more information about service specifications, see Azure Cloud HSM service limits.

Microsoft supplies all software and tools for Azure Cloud HSM through its SDK. You can download the Azure Cloud HSM SDK from GitHub. For more information about integration options, see Azure Cloud HSM integration guides.

No, Microsoft oversees the firmware on the hardware. A third party (the HSM manufacturer) maintains the hardware. NIST evaluates the firmware and must sign it to ensure compliance with FIPS 140-3 Level 3 standards. For more information about hardware management, see What is Azure Cloud HSM?.

Azure offers multiple solutions for cryptographic key storage and management in the cloud: Azure Key Vault (standard and premium offerings), Azure Managed HSM, Azure Cloud HSM, and Azure Payment HSM. It can be overwhelming for customers to decide which solution is best for them. A flowchart, based on common high-level requirements and key management scenarios, is available to help customers make this decision. See How to choose the right key management solution.

Azure Cloud HSM is best suited for migration scenarios, when you're migrating on-premises applications that are already using HSMs to Azure. Azure Cloud HSM provides a low-friction option to migrate to Azure with minimal changes to the application.

If cryptographic operations are performed in an application's code running in an Azure virtual machine or web app, an organization can use Cloud HSM. In general, shrink-wrapped software running in infrastructure as a service (IaaS) models that support HSMs as a key store can use Cloud HSM. This software includes:

• Active Directory Certificate Services (AD CS).
• SSL/TLS offloading for NGINX and Apache.
• Tools and applications used for document signing.
• Code signing.
• Java applications that require a Java Cryptography Extension (JCE) provider.
• Microsoft SQL Server TDE (IaaS) through Extensible Key Management (EKM).
• Oracle TDE.

For more information about implementing these scenarios, see Azure Cloud HSM integration guides.

No. Microsoft doesn't support "bring your own HSM." Azure Cloud HSM can't host any customer-provided devices. For more information about the service architecture, see What is Azure Cloud HSM?.

Yes, but it depends on your architecture and configuration. If your Dedicated HSM deployment is configured in a high-availability (HA) grouping, you can't migrate keys. The reason is that key export is disabled to allow for key cloning (HA grouping), and changing those attributes is a destructive process. If your Dedicated HSM deployment is configured in an HA grouping, you must create new keys when migrating to Azure Cloud HSM. For more information about key management, see Key management in Azure Cloud HSM.

No, Azure Cloud HSM doesn't have a monetary policy. Onboarding Azure Cloud HSM is open to all customers. For more information about getting started, see Azure Cloud HSM onboarding guide.

You incur an hourly fee for each Azure Cloud HSM cluster, which consists of three nodes. After you provision a Cloud HSM resource, it remains continuously active (always on). Billing starts when you provision a resource, rather than when you finish initializing the HSM resource. For more information about deployment options, see Deploy Azure Cloud HSM by using PowerShell or Deploy Azure Cloud HSM by using the Azure portal.

Azure Cloud HSM requires a network infrastructure, such as a virtual network and a private endpoint. It also requires resources such as virtual machines for device configuration. These resources incur extra costs and are not included in the Azure Cloud HSM service pricing. For more information about network requirements, see Network security for Azure Cloud HSM.

No, a free tier is not available for Azure Cloud HSM. For more information about service offerings, see What is Azure Cloud HSM?.

• Windows Server 2016, 2019, and 2022
• Linux (Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, RHEL 7, RHEL 8, and RHEL 9)
• CBL Mariner 2

For more information about compatibility and troubleshooting, see Troubleshoot Azure Cloud HSM.

You manage your service deployment by accessing your Azure Cloud HSM cluster via Secure Shell (SSH) and the Azure Cloud HSM SDK from GitHub. For more information about management operations, see User management in Azure Cloud HSM.

The Azure Cloud HSM SDK contains software and tools to execute cryptographic operations within applications. Azure Cloud HSM supports various interfaces, including PKCS#11, OpenSSL, JCE, key storage provider (KSP), and Cryptography API: Next Generation (CNG). The range of tools in the SDK enables seamless interaction with your HSM.

You can download the Azure Cloud HSM SDK from GitHub. For more information about connectivity methods, see Authentication in Azure Cloud HSM.

Azure Cloud HSM supports only password-based authentication. It doesn't support authentication through a PIN entry device (PED). For more information about authentication methods, see Authentication in Azure Cloud HSM.

Yes. Use virtual network peering within a region to establish connectivity across virtual networks. For cross-region connectivity, use global virtual network peering or a VPN gateway. For more information about network configurations, see Network security for Azure Cloud HSM.

No. Although Azure Cloud HSM doesn't directly interoperate with on-premises HSMs, you can securely transfer exportable keys between Azure Cloud HSM and most commercial HSMs by using one of several supported key-wrap methods. For more information about key management, see Key management in Azure Cloud HSM.

No. Azure Cloud HSM clusters are accessible only from inside your virtual network. For more information about service limitations, see What is Azure Cloud HSM?.

No. Azure Cloud HSM is provisioned directly into your private IP address space, so other Azure or Microsoft services can't access it. For more information about service capabilities and limitations, see What is Azure Cloud HSM?.

Yes. There are multiple methods for bring your own key (BYOK) and having on-premises HSMs that allow key export (key wrap). For more information about key import operations, see Key management in Azure Cloud HSM.

No. The Azure Cloud HSM service doesn't support functionality modules. For more information about service capabilities, see Azure Cloud HSM service limits.

No. You can't change the partition owner certificate after you upload it. If you upload PO.crt in error, you need to delete your Azure Cloud HSM resource and deploy again.

No. You can't restore a backup to its source Azure Cloud HSM resource because it's in an activated state. For more information about backup and restore operations, see Backup and restore in Azure Cloud HSM.

No. Azure Cloud HSM doesn't support restoring a backup to its source HSM or any Cloud HSM resource that's already activated. Otherwise, the restore operation will fail and put the destination Cloud HSM resource in a nonfunctional state. For more information about the restoration process, see Restoration guidelines for Azure Cloud HSM.

Yes. You can restore a backup to another Azure Cloud HSM resource in any region, if the destination Cloud HSM resource is not in an activated state. For more information about cross-region restoration, see Cross-region recovery for Azure Cloud HSM.

No. Only one managed identity is allowed per Azure Cloud HSM cluster. For more information about identity and access management, see Apply a managed identity and create a storage account.

Yes. The minimum role-based access control (RBAC) role required is Storage Blob Data Contributor. You can restrict the source as read-only, but you need read/write permissions on the destination. For more information about access control, see Apply a managed identity and create a storage account.

No. With Azure Cloud HSM, you have exclusive administrative access to your HSM as a single tenant. For more information about the service architecture, see What is Azure Cloud HSM?.

No. Microsoft does not have any access to the keys stored in customer-allocated HSMs. For more information about security controls, see Secure your Azure Cloud HSM deployment.

In the architecture of Azure Cloud HSM, separation of duties and role-based access control are fundamental principles. Microsoft does not have any cryptographic control over customer-allocated HSMs or control over the HSM's users, other than its own limited role as appliance user.

Microsoft has restricted permissions to the HSM. These permissions allow monitoring, maintenance of health and availability, encrypted backups, and extraction and publication of immutable audit logs to the customer's specified storage. These permissions don't allow Microsoft to use keys owned by cryptography users to perform cryptographic operations. For more information about operational logging, see Configure and query operation event logging for Azure Cloud HSM.

No, Azure Cloud HSM doesn't retain customer data. All key materials and data are housed within the customer's HSM. Each Azure Cloud HSM cluster is exclusively designated for a single customer who has administrative control. For more information about data protection, see Secure your Azure Cloud HSM deployment.

Yes, Azure Cloud HSM offers HSMs that are validated to meet the FIPS 140-3 Level 3 standards. For procedures to verify the authenticity of your HSM, including checking the FIPS 140-3 Level 3 certification from NIST, refer to the onboarding guide. For more information about compliance, see What is Azure Cloud HSM?.

Yes. Azure Cloud HSM supports eIDAS compliance under the Austrian scheme by providing secure key management, cryptographic operations, and FIPS 140-3 Level 3 validated hardware to meet stringent requirements for qualified electronic signatures and seals, to help ensure regulatory compliance. Learn more in the QSCD Certificate. For more information about security standards, see Secure your Azure Cloud HSM deployment.

Azure Cloud HSM incorporates both physical and logical tamper detection and response mechanisms that initiate key deletion (zeroization) of the hardware. These measures are designed to detect tampering if the physical barrier is compromised.

Additionally, HSMs are safeguarded against brute-force sign-in attacks. The system locks out cryptography officers (COs) after a set number of unsuccessful access attempts. Similarly, repeated unsuccessful attempts to access an HSM with cryptography user (CU) credentials result in locking out the user. A CO must then unlock the CU. Unlocking a CO requires getChallenge and signing the challenge with PO.key via OpenSSL, followed by unlockCO and changePswd commands. For more information about security features, see Secure your Azure Cloud HSM deployment.

Microsoft facilitates all support for Azure Cloud HSM. If you encounter any problems related to hardware, software, HSM configuration, or network access, submit a support request to Microsoft. For more information about common problems and solutions, see Troubleshoot Azure Cloud HSM.

Azure datacenters have extensive physical and procedural security controls. Additionally, the HSMs in Azure Cloud HSM are hosted in a restricted access area of the datacenter, with physical access controls and video surveillance for added security. For more information about physical security, see Secure your Azure Cloud HSM deployment.

No. Microsoft doesn't have access to your keys or credentials and can't recover your keys if you lose your credentials. For more information about credential management, see User management in Azure Cloud HSM.

No, although Microsoft might need to perform maintenance for necessary upgrades or faulty hardware. We notify customers in advance if we anticipate any impact. For more information about operational considerations, see Secure your Azure Cloud HSM deployment.

For service-level agreements, see Service Level Agreements (SLAs) for Online Services. For more information about service reliability, see What is Azure Cloud HSM?.