Hardware security module integration with Azure VMs

Question

Hardware security module integration with Azure VMs

Vishnu Anand 285

Is there any option available to connect a physical Hardware Security Module (HSM) to an Azure VM, or is the only option to use the Dedicated HSM in the Azure portal?

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Prrudram-MSFT 28,486 Microsoft Employee Moderator

Hi @Vishnu Anand

Thank you for reaching out to the Microsoft Q&A platform.

There is no direct option available to connect a physical Hardware Security Module (HSM) to an Azure VM. To connect a physical Hardware Security Module (HSM), you have to use the Azure Dedicated HSM service. This service provides a physical device for sole customer use with complete administrative control and management responsibility. The device made available is a Thales Luna 7 HSM model A790. Microsoft will have no administrative access once provisioned by a customer, beyond physical serial port attachment as a monitoring role. As a result, customers are responsible for typical operational activities including comprehensive monitoring and log analysis.
Ref: https://v4.hkg1.meaqua.org/en-us/azure/dedicated-hsm/overview

Alternatively, you can use Azure Key Vault to store and manage cryptographic keys and secrets. Azure Key Vault supports HSM-protected keys, which are stored in FIPS 140-2 Level 2 validated HSMs. This provides an additional layer of protection for your keys and secrets.
Ref: https://v4.hkg1.meaqua.org/en-us/azure/key-vault/keys/hsm-protected-keys

If I have answered your query, please click "Accept as answer" as a token of appreciation

Vishnu Anand 285 Reputation points

2024-05-24T06:16:09.94+00:00

@Prrudram-MSFT , Thank you for your update. Once we have purchased the Azure Dedicated HSM service, can we establish a connection between it and our physical HSMs? I read a thread mentioning that on-premises HSMs can sync with Azure Dedicated HSM. Does this require an on-premises Active Directory setup? Could you please clarify that?
Prrudram-MSFT 28,486 Reputation points Microsoft Employee Moderator

2024-05-24T09:15:02.5033333+00:00

@Vishnu Anand

Yes, it is possible to establish a connection between your on-premises HSMs and Azure Dedicated HSM. This can be done using the Azure Dedicated HSM service's Bring Your Own HSM Key. With BYOK, you can use your own HSMs to generate and store keys in Azure Key Vault, while still benefiting from the security and compliance features of Azure Key Vault. To use BYOK, you need to have a compatible HSM that meets the Azure Dedicated HSM service's requirements. You can then follow the steps in the Azure documentation to configure your HSM and establish a connection between it and Azure Dedicated HSM.
Regarding your question about on-premises Active Directory setup as far as I know, it is not required for BYOK. However, if you want to use Azure AD to authenticate to your on-premises HSMs, you can use Azure AD Domain Services to provide domain services without the need for on-premises domain controllers. This allows you to use Azure AD to authenticate to your on-premises resources, including your HSMs.
I would recommend reaching out to azure dedicated HSM support once ahead of implementation phase for clarification.
Vishnu Anand 285 Reputation points

2024-06-03T11:03:59.5533333+00:00

@Prrudram-MSFT ,Once we have uploaded the certificate, how can we assign this certificate to the build created inside an Azure VM to sign the code?. The builds are created using install4j

Answer 2

Ellite Harry 0

You cannot directly connect a physical HSM device to an Azure VM. In Azure, the supported option is to use Azure Dedicated HSM or Azure Key Vault Managed HSM for hardware-backed key management. This ensures compliance, security, and seamless integration with Azure services. Hope it helps!

Share via

Hardware security module integration with Azure VMs

1 additional answer

Your answer