Import HSM-protected keys to Key Vault
For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses FIPS 140 validated HSMs to protect your keys.
Note
For more information about Azure Key Vault, see What is Azure Key Vault?
For a getting started tutorial, which includes creating a key vault for HSM-protected keys, see What is Azure Key Vault?.
Supported HSMs
Transferring HSM-protected keys to Key Vault is supported via two different methods depending on the HSMs you use. Use this table to determine which method should be used for your HSMs to generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.
| Vendor Name | Vendor Type | Supported HSM models | Supported HSM-key transfer method |
|---|---|---|---|
| Cryptomathic | ISV (Enterprise Key Management System) | Multiple HSM brands and models including
|
Use new BYOK method |
| Entrust | Manufacturer, HSM as a Service |
|
Use new BYOK method |
| Fortanix | Manufacturer, HSM as a Service |
|
Use new BYOK method |
| Futurex | Manufacturer, HSM as a Service |
|
Use new BYOK method |
| IBM | Manufacturer | IBM 476x, CryptoExpress | Use new BYOK method |
| Marvell | Manufacturer | All LiquidSecurity HSMs with
|
Use new BYOK method |
| nCipher | Manufacturer, HSM as a Service |
|
Method 1: nCipher BYOK (deprecated). This method will not be supported after June 30, 2021 Method 2: Use new BYOK method (recommended) See the Entrust row. |
| Securosys SA | Manufacturer, HSM as a service |
Primus HSM family, Securosys Clouds HSM | Use new BYOK method |
| StorMagic | ISV (Enterprise Key Management System) | Multiple HSM brands and models including
|
Use new BYOK method |
| Thales | Manufacturer |
|
Use new BYOK method |
| Utimaco | Manufacturer, HSM as a service |
u.trust Anchor, CryptoServer | Use new BYOK method |
| Yubico | Manufacturer | YubiHSM 2 | Use new BYOK method |
Next steps
- Review the Key Vault security overview to ensure security, durability and monitoring for your keys.
- Refer to BYOK specification for a complete description of the new BYOK method