Azure Managed HSM
Azure Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables users to safeguard cryptographic keys and other sensitive information, using FIPS 140-2 Level 3 validated HSMs. It provides organizations with the ability to perform cryptographic operations within a highly secure boundary. Azure Managed HSM supports a wide range of applications, from managing digital signatures and encryption keys to protecting data in transit and at rest. It integrates seamlessly with other Azure services, offering a comprehensive security solution that is both scalable and easy to manage. Azure Managed HSM provides the user with the following functionalities:
- Create
- Backup
- Delete/ Purge Delete
- Restore
- Sign
ADSS Server will utilize the Azure Managed HSM to store and use cryptographic keys within the Windows Azure environment. It is a licensed based feature which will only be available to ADSS Server users if its enabled in the license.
A new Crypto Source can be created in ADSS Server > Key Manager. Press the New button in the Crypto Source Screen to do so. The following form is presented:
The above page is described here:
Items |
Description |
||
Status |
Set the status of this Crypto Profile. If the status is set to Inactive then it can not be used to generate or read the keys for singing purposes. |
||
Friendly Name |
Enter a friendly name for this Crypto device. The name should be unique within this ADSS Server environment. |
||
Crypto Source Type |
Select Azure Key Vault from the drop-down menu. |
||
DNS Name |
It will be used to send requests to perform key operations like create key, delete key, sign etc. Received access token is passed in the request also. |
||
Endpoint OAuth 2.0 Token |
This URL will be used to authenticate the client from the Azure Active Directory. |
||
Application ID |
A Unique ID is assigned when an application is registered on the Azure Active Directory. |
||
Key |
A symmetric key hash when application is registered on the Azure Active Directory (acts as password).
|
||
Enable Key Backup & Restore |
If this checkbox is enabled, the operator will be able to perform key backup during key creation and restore during signing operations.
|
||
Do not instantly remove key from Azure after signing |
This option will only be available if the above checkbox is enabled. By enabling this checkbox, the key will not be removed from Azure Managed HSM immediately. The signing key will be cached for specific time interval after signing.
|
||
Remove the keys after (seconds) |
This field allows the user to enter the time period (in seconds) after which the key will be permanently removed from the Azure Managed HSM. |
There is no import/export key mechanism supported in ADSS Server from Azure Managed HSM. |
See also
Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM
Azure Managed HSM
MS-CAPI/CNG
Importing Existing Keys