Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article describes service limits for the resource type microsoft.hardwaresecuritymodules/cloudHsmClusters in Azure Cloud HSM.
Object limits
The following table describes the limits for the number of objects that you can create in Azure Cloud HSM. The limits are per Cloud HSM instance. Key types are Rivest-Shamir-Adleman (RSA), elliptic curve (EC), and Advanced Encryption Standard (AES).
Important
Key storage limits might vary if you're storing a mixed set of key types. Azure Cloud HSM supports a maximum of 3,200 key handles, irrespective of key type and size.
| Key type | Limit |
|---|---|
| RSA keys | Maximum of 1,600 RSA keys. Each key consumes two handles. |
| EC keys | Maximum of 1,600 EC keys. Each key consumes two handles. |
| AES keys | Maximum of 3,200 AES keys. Each key consumes one handle. |
Transaction limits
The following tables describe the transaction limits for various cryptographic operations, measured in the number of operations per second per Cloud HSM instance.
Each Azure Cloud HSM instance constitutes three load-balanced hardware security module (HSM) partitions. The throughput limits are a function of underlying hardware capacity allocated for each partition. The following tables show maximum throughput with at least one partition available. Actual throughput might be up to three times higher if all three partitions are available.
Throughput limits noted in the tables assume that you use a single key to achieve maximum throughput. For example, if you use a single RSA-2048 key, the maximum throughput is 1,100 sign operations. If you use 1,100 keys with one transaction per second each, they won't achieve the same throughput.
RSA key operations
The following table describes the number of operations per second for RSA key operations, categorized by key size.
| Operation | 2,048-bit | 3,072-bit | 4,096-bit |
|---|---|---|---|
| Create key | 1 | 1 | 1 |
| Encrypt | 12,000 | 8,800 | 5,500 |
| Decrypt | 1,100 | 360 | 160 |
| Wrap | 12,000 | 9,200 | 5,700 |
| Unwrap | 1,100 | 360 | 160 |
| Sign | 1,100 | 360 | 160 |
| Verify | 12,000 | 9,200 | 5,700 |
EC key operations
The following table describes the number of operations per second for EC key operations, categorized by key type.
| Operation | P-256 | P-256K | P-384 | P-521 | ED25519 |
|---|---|---|---|---|---|
| Create key | 1 | 1 | 1 | 1 | 1 |
| Sign | 330 | 330 | 200 | 70 | 420 |
| Verify | 170 | 170 | 100 | 35 | 420 |
AES key operations
The following table describes the number of operations per second for AES key operations, categorized by key size. In the table:
- Encrypt and decrypt operations assume a 4-KB packet size.
- Throughput limits for encrypt and decrypt operations apply to the AES-CBC and AES-GCM algorithms.
- Throughput limits for wrap and unwrap operations apply to the AES-KW algorithm.
| Operation | 128-bit | 192-bit | 256-bit |
|---|---|---|---|
| Create key | 1 | 1 | 1 |
| Encrypt | 10,000 | 10,000 | 10,000 |
| Decrypt | 10,000 | 10,000 | 10,000 |
| Wrap | 10,000 | 10,000 | 10,000 |
| Unwrap | 10,000 | 10,000 | 10,000 |