pkcs11 connection à Azure Cloud HSM managed

Question

Bonjour, est-il possible de s'interfacer avec un HSM managé Azure Key Vault ( et pas dédié ) avec l'interface PKCS11 et pour voir faire des opérations de cryptographique élémentaire ?

Cdlt,

Answer 1

Hello Pierre DE LA CROIX,

Azure Key Vault Managed HSM does not provide a general‑purpose PKCS#11 interface like a traditional or dedicated HSM.

For Managed HSM, PKCS#11 support is limited to a specific TLS/SSL offload scenario only. Microsoft provides an official PKCS#11 v2.40–compliant TLS Offload Library, which is designed for TLS key generation and signing during TLS handshakes, typically with F5 BIG‑IP or NGINX. This library supports only a subset of PKCS#11 functions required for TLS and does not expose full PKCS#11 capabilities.

What this means in practice:

• PKCS#11 can be used only for TLS offload (signing operations for TLS handshakes)
• Generic PKCS#11 clients (for arbitrary crypto operations) are not supported
• Symmetric crypto (AES), encryption/decryption, key wrapping, and full token management via PKCS#11 are not supported with Managed HSM

If your requirement is to interface with an HSM using a full PKCS#11 API and perform general cryptographic operations, then Azure Dedicated HSM should be used instead. Azure Dedicated HSM is based on Thales (SafeNet) Luna Network HSMs and provides a native, full PKCS#11 interface suitable for standard PKCS#11 applications.