A Hardware Security Module (HSM) is a crypto appliance for securing encryption keys (and other kind of secrets). And it´s available as a service in Azure which is really cool. Ok, we have to admit that Amazon was first with this kind of service. But Azure Key Vault seems like a smarter implementations with a much nicer price-tag.
So how can we use this feature? One example is to store encryption keys. Let´s say you got a web-server in Azure and got a public certificate for that web-service. Then you can store the encryption keys in the Key Vault instead of in the file system of the server. Another example is to encrypt a SQL-server using the SQL Server Connector for Key Vault. Or you can simply deploy an encrypted virtual machine with the CloundLink SecureVM and store the master key in the Key Vault.
What other nice things is there? The Key Vault uses FIPS 140-2 level 2 validated HSM from Thales and Common Criteria EAL4+ certification is pending for the HSM´s which is really nice, and you get the option to establish Vaults in multiple Azure Datacenters to make it globally redundant. And it seems possible to sync with an existing, internal HSM farm as well.
So now we are (finally) talking about some really cool Azure functions! And I must admit that I missed that it was in preview, even though I´ve heard whispers about it for a long time. But if you are into security and encryption you should definitely have a look!
More info can be found on the Azure site and on The Official Azure Key Vault Team Blog.
4 thoughts on “Azure Key Vault – The cloud based HSM!”
What do you think about using Azure Key Vault to establish a certification authority to issue legal binding digital signature certificates?.
Do you think that it would provide compliance in any country?.
Hi, Sorry for my late reply. But I´ve been of the grid for a while.
I would love it! But It´s not supported right now. (At least not to my knowledge..) Hopefully it will be, but no info about ut yet!
Hi, just for your reference, I’ve started working on an integration between EJBCA (open source CA software) and Azure Key Vault and I have developed succesfully a prototype integration between them.
Anway, when I can complete this integration with production quality I will be posting to the EJBCA mailing list on this thread, https://sourceforge.net/p/ejbca/mailman/message/35920574/.
That´s really cool! I´ll follow that with great interest!