Import HSM-protected keys to Key Vault

For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses FIPS 140 validated HSMs to protect your keys.

This functionality is not available for Microsoft Azure operated by 21Vianet.

Note

For more information about Azure Key Vault, see What is Azure Key Vault?
For a getting started tutorial, which includes creating a key vault for HSM-protected keys, see What is Azure Key Vault?.

Supported HSMs

Transferring HSM-protected keys to Key Vault is supported via two different methods depending on the HSMs you use. Use this table to determine which method should be used for your HSMs to generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.

Vendor Name	Vendor Type	Supported HSM models	Supported HSM-key transfer method
Cryptomathic	ISV (Enterprise Key Management System)	Multiple HSM brands and models including nCipher Thales Utimaco See Cryptomathic site for details	Use new BYOK method
Entrust	Manufacturer, HSM as a Service	nShield family of HSMs nShield as a service	Use new BYOK method
Fortanix	Manufacturer, HSM as a Service	Self-Defending Key Management Service (SDKMS) Equinix SmartKey	Use new BYOK method
Futurex	Manufacturer, HSM as a Service	CryptoHub CryptoHub Cloud KMES Series 3	Use new BYOK method
IBM	Manufacturer	IBM 476x, CryptoExpress	Use new BYOK method
Marvell	Manufacturer	All LiquidSecurity HSMs with Firmware version 2.0.4 or later Firmware version 3.2 or newer	Use new BYOK method
nCipher	Manufacturer, HSM as a Service	nShield family of HSMs nShield as a service	Method 1: nCipher BYOK (deprecated). This method will not be supported after June 30, 2021 Method 2: Use new BYOK method (recommended) See the Entrust row.
Securosys SA	Manufacturer, HSM as a service	Primus HSM family, Securosys Clouds HSM	Use new BYOK method
StorMagic	ISV (Enterprise Key Management System)	Multiple HSM brands and models including Utimaco Thales nCipher See StorMagic site for details	Use new BYOK method
Thales	Manufacturer	Luna HSM 7 family with firmware version 7.3 or newer	Use new BYOK method
Utimaco	Manufacturer, HSM as a service	u.trust Anchor, CryptoServer	Use new BYOK method

Next steps

• Review the Key Vault security overview to ensure security, durability and monitoring for your keys.
• Refer to BYOK specification for a complete description of the new BYOK method