Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant cloud service that uses FIPS 140-3 Level 3 validated hardware security modules to protect your cryptographic keys. All keys in a Managed HSM instance are HSM-protected; Managed HSM doesn't store software-protected keys.
Each Managed HSM instance is an isolated single-tenant pool with its own security domain, which provides complete cryptographic isolation from all other Managed HSM instances that share the same underlying hardware. The data-plane endpoint base URL for a Managed HSM instance is https://<hsm-name>.managedhsm.azure.net.
Cryptographic keys in Managed HSM are represented as JSON Web Key (JWK) objects, as defined by the following specifications:
The base JWK/JWA specifications are extended to enable key types unique to the Managed HSM implementation.
Supported key types and sizes
| Key type | Sizes / curves |
|---|---|
| RSA-HSM — RSA key | 2,048-bit, 3,072-bit, 4,096-bit |
| EC-HSM — Elliptic Curve key | P-256, P-256K (secp256k1), P-384, P-521 |
| oct-HSM — Symmetric (AES) key | 128-bit, 192-bit, 256-bit |
You can generate keys directly in a Managed HSM instance, import RSA or EC keys from a PEM file, or securely transport keys (RSA, EC, or oct-HSM) from a supported on-premises HSM by using the BYOK (bring your own key) specification. For more information, see Manage keys in Managed HSM and Import HSM-protected keys to Managed HSM (BYOK).
For details on supported algorithms, operations, attributes, and tags, see Key types, algorithms, and operations.
Compliance
All keys in Managed HSM are HSM-protected by FIPS 140-3 Level 3 validated hardware. There is a single protection tier; Managed HSM doesn't expose multiple HSM platforms or a software-protected option. For details on the hardware environment, validated standards (FedRAMP-High, PCI, SOC 1/2/3, ISO 270x), and the broader Azure compliance program, see Managed HSM technical details.
Quantum-resistant cryptography
"Quantum-resistant", "quantum-safe", and "post-quantum" cryptography are terms used to describe cryptographic algorithms believed to be resistant to cryptanalytic attacks from both classical and quantum computers. oct-HSM 256-bit keys used with the AES algorithms offered by Managed HSM are quantum-resistant. For more information, see The Commercial National Security Algorithm Suite 2.0 and Quantum Computing FAQ.
Key attestation
Managed HSM can attest that a key was generated and resides inside an HSM that Microsoft operates. Asymmetric keys receive both public and private key attestation; symmetric (oct-HSM) keys receive private key attestation only. For more information, see Validate Azure Managed HSM keys with key attestation.
Usage scenarios
| When to use | Examples |
|---|---|
| Azure server-side data encryption with customer-managed keys | Server-side encryption using customer-managed keys in Azure Key Vault |
| Client-side data encryption | Client-Side Encryption with Azure Key Vault |
| Keyless TLS | Azure Managed HSM TLS Offload Library |