Les på engelsk Rediger

Del via

Import HSM-protected keys to Key Vault

  • Artikkel

For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses FIPS 140 validated HSMs to protect your keys.

Obs!

For more information about Azure Key Vault, see What is Azure Key Vault?
For a getting started tutorial, which includes creating a key vault for HSM-protected keys, see What is Azure Key Vault?.

Supported HSMs

Transferring HSM-protected keys to Key Vault is supported via two different methods depending on the HSMs you use. Use this table to determine which method should be used for your HSMs to generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.

Vendor Name Vendor Type Supported HSM models Supported HSM-key transfer method
Cryptomathic ISV (Enterprise Key Management System) Multiple HSM brands and models including
  • nCipher
  • Thales
  • Utimaco
See Cryptomathic site for details		 Use new BYOK method
Entrust Manufacturer,
HSM as a Service
  • nShield family of HSMs
  • nShield as a service
 Use new BYOK method
Fortanix Manufacturer,
HSM as a Service
  • Self-Defending Key Management Service (SDKMS)
  • Equinix SmartKey
 Use new BYOK method
Futurex Manufacturer,
HSM as a Service
  • CryptoHub
  • CryptoHub Cloud
  • KMES Series 3
 Use new BYOK method
IBM Manufacturer IBM 476x, CryptoExpress Use new BYOK method
Marvell Manufacturer All LiquidSecurity HSMs with
  • Firmware version 2.0.4 or later
  • Firmware version 3.2 or newer
 Use new BYOK method
nCipher Manufacturer,
HSM as a Service
  • nShield family of HSMs
  • nShield as a service
 Method 1: nCipher BYOK (deprecated). This method will not be supported after June 30, 2021
Method 2: Use new BYOK method (recommended)
See the Entrust row.
Securosys SA Manufacturer,
HSM as a service		 Primus HSM family, Securosys Clouds HSM Use new BYOK method
StorMagic ISV (Enterprise Key Management System) Multiple HSM brands and models including
  • Utimaco
  • Thales
  • nCipher
See StorMagic site for details		 Use new BYOK method
Thales Manufacturer
  • Luna HSM 7 family with firmware version 7.3 or newer
 Use new BYOK method
Utimaco Manufacturer,
HSM as a service		 u.trust Anchor, CryptoServer Use new BYOK method
Yubico Manufacturer YubiHSM 2 Use new BYOK method

Next steps