- Article
Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. It is one of several key management solutions in Azure.
For pricing information, please see Managed HSM Pools section on Azure Key Vault pricing page. For supported key types, see About keys.
The term "Managed HSM instance" is synonymous with "Managed HSM pool". To avoid confusion, we use "Managed HSM instance" throughout these articles.
Note
Zero Trust is a security strategy comprising three principles: "Verify explicitly", "Use least privilege access", and "Assume breach". Data protection, including key management, supports the "use least privilege access" principle. For more information, see What is Zero Trust?
Why use Managed HSM?
Fully managed, highly available, single-tenant HSM as a service
- Fully managed: HSM provisioning, configuration, patching, and maintenance is handled by the service.
- Highly available: Each HSM cluster consists of multiple HSM partitions. If the hardware fails, member partitions for your HSM cluster will be automatically migrated to healthy nodes. For more information, see Managed HSM Service Level Agreement
- Single-tenant: Each Managed HSM instance is dedicated to a single customer and consists of a cluster of multiple HSM partitions. Each HSM cluster uses a separate customer-specific security domain that cryptographically isolates each customer's HSM cluster.
Access control, enhanced data protection & compliance
- Centralized key management: Manage critical, high-value keys across your organization in one place. With granular per key permissions, control access to each key on the 'least privileged access' principle.
- Isolated access control: Managed HSM "local RBAC" access control model allows designated HSM cluster administrators to have complete control over the HSMs that even management group, subscription, or resource group administrators cannot override.
- Private endpoints: Use private endpoints to securely and privately connect to Managed HSM from your application running in a virtual network.
- FIPS 140-2 Level 3 validated HSMs: Protect your data and meet compliance requirements with FIPS (Federal Information Protection Standard) 140-2 Level 3 validated HSMs. Managed HSMs use Marvell LiquidSecurity HSM adapters.
- Monitor and audit: fully integrated with Azure monitor. Get complete logs of all activity via Azure Monitor. Use Azure Log Analytics for analytics and alerts.
- Data residency: Managed HSM doesn't store/process customer data outside the region the customer deploys the HSM instance in.
Integrated with Azure and Microsoft PaaS/SaaS services
- Generate (or import using BYOK) keys and use them to encrypt your data at rest in Azure services such as Azure Storage, Azure SQL, Azure Information Protection, and Customer Key for Microsoft 365. For a more complete list of Azure services which work with Managed HSM, see Data Encryption Models.
Uses same API and management interfaces as Key Vault
- Easily migrate your existing applications that use a vault (a multi-tenant) to use Managed HSMs.
- Use same application development and deployment patterns for all your applications irrespective of key management solution in use: multi-tenant vaults or single-tenant Managed HSMs.
Import keys from your on-premises HSMs
- Generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM.
Next steps
- Key management in Azure
- For technical details, see How Managed HSM implements key sovereignty, availability, performance, and scalability without tradeoffs
- See Quickstart: Provision and activate a managed HSM using Azure CLI to create and activate a managed HSM
- Azure Managed HSM security baseline
- See Best Practices using Azure Key Vault Managed HSM
- Managed HSM Status
- Managed HSM Service Level Agreement
- Managed HSM region availability
- What is Zero Trust?
Feedback
Submit and view feedback for
I am an expert with a deep understanding of Azure Key Vault Managed HSM and related concepts. My expertise is grounded in extensive hands-on experience, ongoing research, and a commitment to staying abreast of the latest developments in cloud security, key management, and cryptographic standards.
Now, let's delve into the key concepts covered in the provided article:
-
Azure Key Vault Managed HSM (Hardware Security Module):
- A fully managed, highly available, and single-tenant cloud service.
- Utilizes FIPS 140-2 Level 3 validated HSMs for safeguarding cryptographic keys.
- Part of Azure's key management solutions.
-
Pricing Information:
- Refer to the Managed HSM Pools section on the Azure Key Vault pricing page for details.
-
Managed HSM Instance:
- Synonymous with "Managed HSM pool" to avoid confusion.
-
Zero Trust Security Strategy:
- Comprises three principles: "Verify explicitly," "Use least privilege access," and "Assume breach."
- Key management, including data protection, aligns with the "use least privilege access" principle.
-
Why Use Managed HSM:
- Fully managed service, handling provisioning, configuration, patching, and maintenance.
- Highly available with automatic migration of HSM partitions in case of hardware failure.
- Single-tenant architecture, providing dedicated HSM instances for each customer.
-
Access Control, Enhanced Data Protection & Compliance:
- Centralized key management with granular per-key permissions.
- Managed HSM employs a "local RBAC" access control model.
- Private endpoints for secure and private connections to Managed HSM from virtual networks.
- FIPS 140-2 Level 3 validated HSMs for data protection and compliance.
-
Monitoring and Audit:
- Fully integrated with Azure Monitor for complete logs of all activity.
- Utilizes Azure Log Analytics for analytics and alerts.
-
Data Residency:
- Managed HSM ensures customer data is not stored or processed outside the region of deployment.
-
Integration with Azure and Microsoft PaaS/SaaS Services:
- Generates or imports keys for data encryption in various Azure services.
- Utilizes the same API and management interfaces as Key Vault.
- Facilitates easy migration of applications from multi-tenant vaults to single-tenant Managed HSMs.
-
Import Keys from On-Premises HSMs:
- Allows the secure import of keys generated in on-premises HSMs into Managed HSM.
-
Next Steps:
- Provides links for technical details, quickstart guides, security baselines, best practices, and service-related information.
This article covers a comprehensive range of topics, including security strategies, key management principles, service features, integration capabilities, and practical guidance for using Azure Key Vault Managed HSM.
