Get answers to common questions about Azure Key Vault Managed HSM external key management, including how it differs from Managed HSM keys, what's covered by SLA, and what HSM vendors are supported in preview. External key management is currently in preview. For preview terms, see the supplemental terms of use.
Overview
What is Managed HSM external key management?
External key management lets you keep your Key Encryption Key (KEK) in a customer-owned, customer-operated HSM that runs entirely outside Microsoft infrastructure. When an Azure service needs to wrap or unwrap a data encryption key, Managed HSM delegates that operation to your external HSM through a customer-run EKM Proxy that you or your HSM vendor operate. For a full overview, see What is Managed HSM external key management?.
When should I use external key management instead of Managed HSM keys?
Use external key management only when you have a strict regulatory or digital-sovereignty requirement that legally or contractually mandates physical control of key material outside Microsoft datacenters. External key management is a last-resort, gated option — not a general-purpose upgrade to Managed HSM keys. If your compliance framework requires that your key material never physically resides on Microsoft infrastructure, external key management is the right choice.
When should I not use external key management?
Don't use external key management if you don't have a hard legal or contractual requirement for physical key control outside Microsoft. Managed HSM keys are faster, covered by the Managed HSM SLA, and support the full key operation set — including sign, verify, encrypt, decrypt, and Secure Key Release (SKR). External key management supports only wrapKey and unwrapKey, adds network round-trip latency to every operation, and carries no SLA for external key availability.
Preview
In which regions is external key management available?
External key management is available in all Azure public regions at preview launch. Sovereign clouds (Azure Government, Azure China) are out of scope for the preview.
Do I need a special subscription flag to access external key management?
External key management is enabled at the subscription level by your Microsoft account team. Contact your account team to request enablement for your subscription.
Is external key management generally available?
No, external key management is in preview. Some aspects of this feature might change before general availability. For preview terms, see the supplemental terms of use.
Are there restrictions that apply only during preview?
Yes. During preview, external key management supports wrapKey and unwrapKey operations only and must be enabled on your subscription by your Microsoft account team.
Architecture and operations
What operations does external key management support?
External key management supports wrapKey and unwrapKey only. Sign, verify, encrypt, decrypt, and Secure Key Release (SKR) are out of scope for external key management and aren't supported for external keys.
What algorithms does external key management support?
External key management supports RSA-OAEP, RSA-OAEP-256, A256KW, and A256KWP.
What key types and sizes does external key management support?
External key management supports RSA keys at 2048, 3072, and 4096 bits, and AES-256 keys (oct, 256 bits). Key material lives in your external HSM; Managed HSM stores only the key reference called an external key identifier.
Can I migrate an external key to a Managed HSM key?
No. In external key management, a key's status as either an external key or a Managed HSM key is immutable by design — external key management blocks transitions in both directions at the API. Azure Key Vault and Managed HSM also don't allow key material to be exported, so external keys and Managed HSM keys can't be converted into one another by any mechanism. To switch a workload from an external key to a Managed HSM key (or vice versa), migrate the workload to a new key as described in Migrate workloads off external keys. The new key has a different key URI, and every consuming Azure service must be reconfigured to use it.
Can Microsoft access my key material?
No. The KEK never leaves your external HSM, and Microsoft has no path to it. Managed HSM stores only the external key identifier reference, not the key itself. The EKM Proxy operates entirely outside Microsoft infrastructure, and Microsoft has no visibility into the proxy or the external HSM.
Performance and SLA
What's the latency budget for an external key management operation?
Each proxy round-trip must complete in 250 ms or less. Managed HSM times out and returns an error if the proxy doesn't respond within that window. For guidance on sizing and network topology to stay within budget, see Managed HSM external key management architecture.
Is external key management covered by the Managed HSM SLA?
Partially. The Managed HSM SLA covers Managed HSM up to and including the point at which it calls your EKM Proxy. External key availability — the proxy and the external HSM — isn't covered by the SLA. That responsibility belongs to you or your external HSM vendor. For the full breakdown, see SLA and shared responsibility for Managed HSM external key management.
What does external key management cost?
Standard Managed HSM pricing applies for the Managed HSM service. Microsoft doesn't add a per-operation surcharge for external key management. You separately bear the cost of the EKM Proxy compute and your HSM vendor's licensing.
Networking and security
How does Managed HSM connect to the EKM Proxy?
In the initial preview release, Managed HSM connects to the proxy over the public internet on a publicly resolvable FQDN that resolves to a publicly routable IPv4 address, secured with mutual TLS (mTLS) and TLS 1.3 as the minimum version. The proxy must be configured with the subject common name and root CA of the Managed HSM client certificate to authenticate inbound requests. This is the only supported connectivity model. For step-by-step setup, see Configure networking and mTLS for Managed HSM external key management.
Who owns the EKM Proxy?
You or your HSM vendor. Microsoft doesn't ship or support the EKM Proxy as a product. You're responsible for deploying, operating, securing, and scaling the proxy.
How are mTLS certificates managed?
Managed HSM rotates its client certificate on a schedule; you must keep the proxy's trusted-issuer allow-list current. The proxy's server certificate and its root CA trust anchor are customer-rotated and must be kept synchronized with the external key management connection object in Managed HSM. For detailed certificate management guidance, see Configure networking and mTLS for Managed HSM external key management.
HSM vendors and self-serve onboarding
Which HSM vendors support external key management?
See HSM vendors supporting external key management for the current list of HSM vendors that support the external key management API specification. The list is informational; Microsoft makes no representations about the compatibility or availability of any specific vendor's proxy. Each vendor is responsible for the functionality and support of its own implementation.
I'm an HSM vendor — how do I add external key management support?
Build a conformant EKM Proxy that implements the EKM Proxy API specification exactly. The specification defines four endpoints, the JSON request and response schemas, encoding rules, error model, and mTLS requirements. For the full specification and implementation details, see EKM Proxy API reference for Managed HSM external key management.
Can I run my own proxy without a vendor partner?
Yes. The EKM Proxy API specification is publicly available, and any organization can implement a conformant proxy without a vendor partner. See EKM Proxy API reference for Managed HSM external key management for the specification and implementation details.
Logging and troubleshooting
Where do I find audit logs for external key management operations?
Managed HSM emits an EkmProxyOperation record in AzureDiagnostics for every proxy call. Filter by OperationName contains "Ekm" to isolate external key management activity. The proxy and external HSM produce their own logs, which you're responsible for collecting and retaining. For log schema and query examples, see Logging and monitoring for Managed HSM external key management.
What's the most common failure during preview?
The two most common failures are mTLS handshake errors (usually caused by certificate allow-list drift after a Managed HSM client certificate rotation) and external key identifier mismatches (where the external key identifier stored on the Managed HSM key reference doesn't exactly match the identifier registered at the proxy — external key identifiers are case-sensitive and URL-encoded). See Troubleshoot Managed HSM external key management for the full diagnostic guide.