Azure Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables users to safeguard cryptographic keys and other sensitive information, using FIPS 140-2 Level 3 validated HSMs. It provides organizations with the ability to perform cryptographic operations within a highly secure boundary. Azure Managed HSM supports a wide range of applications, from managing digital signatures and encryption keys to protecting data in transit and at rest. It integrates seamlessly with other Azure services, offering a comprehensive security solution that is both scalable and easy to manage. Azure Managed HSM provides the user with the following functionalities: 

  • Create
  • Backup
  • Delete/ Purge Delete
  • Restore
  • Sign


ADSS Server will utilize the Azure Managed HSM to store and use cryptographic keys within the Windows Azure environment. It is a licensed based feature which will only be available to ADSS Server users if its enabled in the license. 

A new Crypto Source can be created in ADSS Server > Key Manager. Press the '+' button in the Crypto Source Screen to do so. The following form is presented:



Once the required information is filled in Profile Identification, click on the Save button, the user will be navigated to Profile Setting screen:



The above page is described here:


Items

Description

Status

Set the status of this Crypto Profile. If the status is set to Inactive then it can not be used to generate or read the keys for singing purposes. 

Friendly Name

Enter a friendly name for this Crypto device. The name should be unique within this ADSS Server environment.

Crypto Source Type

Select Azure Key Vault from the drop-down menu.

DNS Name

It will be used to send requests to perform key operations like create key, delete key, sign etc. Received access token is passed in the request also.

Endpoint OAuth 2.0 Token

This URL will be used to authenticate the client from the Azure Active Directory.

Application ID

A Unique ID is assigned when an application is registered on the Azure Active Directory.

Key

A symmetric key hash when application is registered on the Azure Active Directory (acts as password).

Key can be without expiry (life time) which is not a recommended approach for security reasons. If it is created with one to two years validity (recommended approach) then the user must record the expiry time in his calendar and get it renewed before the current key gets expired.

Enable Key Backup & Restore

If this checkbox is enabled, the user will be able to perform key backup during key creation and restore during signing operations.

  

It must be noted that enabling this checkbox will have significant impact on ADSS Server performance. 

Do not instantly remove key from Azure after signing

This option will only be available if the above checkbox is enabled. By enabling this checkbox, the key will not be removed from Azure Managed HSM immediately. The signing  key will be cached for specific time interval after signing.

It is recommended to enable this checkbox in case where signing key is being used after regular intervals. For example, SAM eSeal signing.

Remove the keys after (seconds)

This field allows the user to enter the time period (in seconds) after which the key will be permanently removed from the Azure Managed HSM. 


There is no import/export key mechanism supported in ADSS Server from Azure Managed HSM.



See also

PKCS#11 Standard

Utimaco CryptoServer CP5 HSM
Thales Luna K7 Cryptographic Module
nCipher nShield Solo XC Cryptographic Module
Azure Key Vault
AWS CloudHSM

Azure Managed HSM

MS-CAPI/CNG

Importing Existing Keys