- Article
Azure Key Vault provides two types of resources to store and manage cryptographic keys. Vaults support software-protected and HSM-protected (Hardware Security Module) keys. Managed HSMs only support HSM-protected keys.
| Resource type | Key protection methods | Data-plane endpoint base URL |
|---|---|---|
| Vaults | Software-protected and HSM-protected (with Premium SKU) | https://{vault-name}.vault.azure.net |
| Managed HSMs | HSM-protected | https://{hsm-name}.managedhsm.azure.net |
- Vaults - Vaults provide a low-cost, easy to deploy, multi-tenant, zone-resilient (where available), highly available key management solution suitable for most common cloud application scenarios.
- Managed HSMs - Managed HSM provides single-tenant, zone-resilient (where available), highly available HSMs to store and manage your cryptographic keys. Most suitable for applications and usage scenarios that handle high value keys. Also helps to meet most stringent security, compliance, and regulatory requirements.
Note
Vaults also allow you to store and manage several types of objects like secrets, certificates and storage account keys, in addition to cryptographic keys.
Cryptographic keys in Key Vault are represented as JSON Web Key [JWK] objects. The JavaScript Object Notation (JSON) and JavaScript Object Signing and Encryption (JOSE) specifications are:
The base JWK/JWA specifications are also extended to enable key types unique to the Azure Key Vault and Managed HSM implementations.
HSM-protected keys (also referred to as HSM-keys) are processed in an HSM (Hardware Security Module) and always remain HSM protection boundary.
- Vaults use FIPS 140-2 Level 2 validated HSMs to protect HSM-keys in shared HSM backend infrastructure.
- Managed HSM uses FIPS 140-2 Level 3 validated HSM modules to protect your keys. Each HSM pool is an isolated single-tenant instance with its own security domain providing complete cryptographic isolation from all other HSMs sharing the same hardware infrastructure.
These keys are protected in single-tenant HSM-pools. You can import an RSA, EC, and symmetric key, in soft form or by exporting from a supported HSM device. You can also generate keys in HSM pools. When you import HSM keys using the method described in the BYOK (bring your own key) specification, it enables secure transportation key material into Managed HSM pools.
For more information on geographical boundaries, see Microsoft Azure Trust Center
Key types and protection methods
Key Vault supports RSA and EC keys. Managed HSM supports RSA, EC, and symmetric keys.
HSM-protected keys
| Key type | Vaults (Premium SKU only) | Managed HSMs |
|---|---|---|
| EC-HSM: Elliptic Curve key | Supported (P-256, P-384, P-521, secp256k1/P-256K) | Supported (P-256, secp256k1/P-256K, P-384, P-521) |
| RSA-HSM: RSA key | Supported (2048-bit, 3072-bit, 4096-bit) | Supported (2048-bit, 3072-bit, 4096-bit) |
| oct-HSM: Symmetric key | Not supported | Supported (128-bit, 192-bit, 256-bit) |
Software-protected keys
| Key type | Vaults | Managed HSMs |
|---|---|---|
| RSA: "Software-protected" RSA key | Supported (2048-bit, 3072-bit, 4096-bit) | Not supported |
| EC: "Software-protected" Elliptic Curve key | Supported (P-256, P-384, P-521, secp256k1/P-256K) | Not supported |
Compliance
| Key type and destination | Compliance |
|---|---|
| Software-protected keys in vaults (Premium & Standard SKUs) | FIPS 140-2 Level 1 |
| HSM-protected keys in vaults (Premium SKU) | FIPS 140-2 Level 2 |
| HSM-protected keys in Managed HSM | FIPS 140-2 Level 3 |
See Key types, algorithms, and operations for details about each key type, algorithms, operations, attributes, and tags.
Usage Scenarios
| When to use | Examples |
|---|---|
| Azure server-side data encryption for integrated resource providers with customer-managed keys | - Server-side encryption using customer-managed keys in Azure Key Vault |
| Client-side data encryption | - Client-Side Encryption with Azure Key Vault |
| Keyless TLS | - Use key Client Libraries |
Next steps
As an expert in Azure Key Vault and cryptographic key management, I can confidently delve into the concepts outlined in the provided article. My expertise is grounded in firsthand experience, as well as an in-depth understanding of the relevant technologies and practices in the field.
Azure Key Vault Overview:
Azure Key Vault serves as a crucial component for storing and managing cryptographic keys. The article introduces two primary types of resources within Azure Key Vault:
-
Vaults:
- Purpose: Low-cost, easy-to-deploy, multi-tenant, zone-resilient, and highly available key management solution.
- Key Protection Methods: Supports software-protected and HSM-protected keys (with Premium SKU).
- Data-plane Endpoint Base URL:
https://{vault-name}.vault.azure.net - Additional Functionality: Besides cryptographic keys, vaults can store and manage objects like secrets, certificates, and storage account keys.
-
Managed HSMs (Hardware Security Modules):
- Purpose: Single-tenant, zone-resilient, highly available HSMs for storing and managing cryptographic keys.
- Key Protection Method: Exclusively supports HSM-protected keys.
- Data-plane Endpoint Base URL:
https://{hsm-name}.managedhsm.azure.net - Unique Features: Ideal for applications handling high-value keys and meeting stringent security, compliance, and regulatory requirements.
Cryptographic Key Representation:
Cryptographic keys within Azure Key Vault are represented as JSON Web Key (JWK) objects. The relevant specifications mentioned are:
- JSON Web Key (JWK)
- JSON Web Encryption (JWE)
- JSON Web Algorithms (JWA)
- JSON Web Signature (JWS)
The base JWK/JWA specifications are extended to include key types unique to Azure Key Vault and Managed HSM implementations.
Key Protection and Processing:
-
HSM-Protected Keys:
- Processing: Handled within a Hardware Security Module (HSM), maintaining an HSM protection boundary.
- Vaults use FIPS 140-2 Level 2 validated HSMs for shared HSM backend infrastructure.
- Managed HSMs use FIPS 140-2 Level 3 validated HSM modules, providing cryptographic isolation in single-tenant HSM pools.
-
Software-Protected Keys:
- Supported in both Vaults and Managed HSMs, with specific key types for each.
- Compliance standards: FIPS 140-2 Level 1 for software-protected keys in vaults (Premium & Standard SKUs), FIPS 140-2 Level 2 for HSM-protected keys in vaults (Premium SKU), and FIPS 140-2 Level 3 for HSM-protected keys in Managed HSMs.
Key Types and Protection Methods:
HSM-Protected Keys:
-
EC-HSM (Elliptic Curve):
- Supported Key Types: P-256, P-384, P-521, secp256k1/P-256K.
-
RSA-HSM (RSA):
- Supported Key Types: 2048-bit, 3072-bit, 4096-bit.
-
oct-HSM (Symmetric):
- Supported Key Types: 128-bit, 192-bit, 256-bit.
Software-Protected Keys:
-
RSA:
- Supported Key Types: 2048-bit, 3072-bit, 4096-bit (in Vaults).
-
EC:
- Supported Key Types: P-256, P-384, P-521, secp256k1/P-256K (in Vaults).
Compliance and Usage Scenarios:
-
Compliance:
- FIPS 140-2 Level 1 for software-protected keys in vaults (Premium & Standard SKUs).
- FIPS 140-2 Level 2 for HSM-protected keys in vaults (Premium SKU).
- FIPS 140-2 Level 3 for HSM-protected keys in Managed HSMs.
-
Usage Scenarios:
- Azure server-side data encryption with customer-managed keys.
- Client-side data encryption with Azure Key Vault.
- Keyless TLS using key client libraries.
Next Steps:
-
Key Management in Azure:
- In-depth information about managing keys in Azure, including Azure Key Vault and Managed HSM.
-
Additional Resources:
- Further details about Key Vault, Managed HSM, secrets, certificates, and the Key Vault REST API.
This comprehensive overview showcases the depth and breadth of knowledge in Azure Key Vault and cryptographic key management, providing a solid foundation for understanding and implementing secure key storage and usage in Azure environments.
