Connect to Azure
In this guide, you will learn how to connect the Securosys EKM Proxy (that you deployed in the previous step) to Azure Key Vault through Azure Managed HSM.
Access to Deployed EKM Proxy
Ensure your host is accessible via a domain name to make your EKM Proxy available to connect with Azure Managed HSM. This guide assumes that this is already completed and will not cover this configuration.
Configure mTLS and Access Control
The Azure Managed HSM authenticates to the EKM Proxy using a client X509 certificate, while the proxy’s server certificate must be issued by the Certificate Authority (CA) set within Managed HSM during external key management configuration. The subject common name (CN) of the server certificate must correspond to either the domain of the EKM Proxy endpoint or a CN configured within the Managed HSM .
For instance, if the EKM Proxy host is
server.ekmproxy.example.com, then the CN should be either
server.ekmproxy.example.com or *.ekmproxy.example.com.
The EKM Proxy natively supports mTLS by rejecting requests without a valid client certificate.
Obtain Managed HSM Client Certificate and Common Name
To follow the guide, ensure the required permissions are available on Azure Portal. See Prerequisites for more information.
-
Log in to your Azure subscription via CLI with your Managed HSM which has EKM enabled.
-
Get the client certificate from your Managed HSM by running the following command:
az keyvault ekm-connection certificate show --hsm-name <MHSM Name> -
Update and configure the EKM Proxy with the Managed HSMs client certificate’s subject common name (CN) and the certificate to authenticate the Managed HSM requests to the proxy in the
application.ymlfile. See Define the Application Config. -
Restart the EKM Proxy so the change takes effect.
Create EKM Connection
After updating the EKM Proxy with the Managed HSM certificate you will establish an mTLS connection between your Managed HSM and the deployed EKM Proxy. You will require the root of EKM Proxy TLS certificate (chain), specified in the Application Config.
- Use the following Azure CLI command to create a new connection:
az keyvault ekm-connection create \
--hsm-name <MHSM Name> \
--host <EKMProxy Host Name> \
--server-ca-certificate <Root cert of EKM Proxy server TLS certificate> \
[--path-prefix <EKMProxy Path Prefix>]
- Verify the connection with:
az keyvault ekm-connection check --hsm-name <MHSM Name>
Example output:
{
"apiVersion": "1.0.0",
"ekmProduct": "CLP-US02-HM06 RE-3.2.11",
"ekmVendor": "Securosys",
"proxyName": "Securosys EKM Proxy v1.0.0",
"proxyVendor": "Securosys"
}
This is an overall EKM Connectivity check. Therefore it will not perform key specific checks like presence of an external key and authorization to it.
Example EKM Proxy logs from a successful connectivity check:
azure_ekm_proxy | 2026.06.06 20:53:15.265 INFO [nio-8080-exec-5] [rBase.[Tomcat].[localhost].[/]] Initializing Spring DispatcherServlet 'dispatcherServlet'
azure_ekm_proxy | 2026.06.06 20:53:15.266 INFO [nio-8080-exec-5] [.web.servlet.DispatcherServlet] Initializing Servlet 'dispatcherServlet'
azure_ekm_proxy | 2026.06.06 20:53:15.270 INFO [nio-8080-exec-5] [.web.servlet.DispatcherServlet] Completed initialization in 3 ms
azure_ekm_proxy | 2026.06.06 20:53:15.391 INFO [nio-8080-exec-5] [ness.controller.InfoController] Info request: GetProxyInfoRequest(request_context=RequestContext(request_id=b305bb77-797c-11f1-a047-c60f57e75ffd, correlation_id=b5493c4a-797c-11f1-b27a-6045bd7604b0, pool_name=Securosys-EKM-MHSM))
azure_ekm_proxy | 2026.06.06 20:53:15.393 INFO [nio-8080-exec-5] [ness.controller.InfoController] Api version: 0.1-preview
azure_ekm_proxy | 2026.06.06 20:53:15.401 INFO [nio-8080-exec-5] [km.business.service.HsmService] Setup configuration latency for each request: 0 ms
For proper operation, the Securosys EKM Proxy is expected to respond to API requests within 250 milliseconds. If Azure Managed HSM does not receive a response within this time window, the request will time out.
Create External Key
After establishing a connection with the EKM Proxy, create a customer managed external Key which will be linked with a key on your Primus HSM or CloudHSM Partition. This step expects that a key is already created on the HSM.
Creating keys is made simple with the Securosys CyberVault KMS. Alternatively, you can create keys with any of our APIs. View a list of available APIs here.
Azure EKM only supports the following keys and key sizes:
- AES-256
- RSA-2048, RSA-3072, RSA-4096
Execute the following command to create an external key entry in Azure Key Vault:
az keyvault key create --hsm-name <MHSM Name> \
--external-key-id <Name of the Key in Primus HSM or CloudHSM> \
--name <Name of Key reference to be created in MHSM>
An external key can also be created through the Azure Portal. See Manage keys in an Azure Key Vault Managed HSM for more information.
Repeat this for as many keys as you need.
Enable CMK using External Key
After creating your Azure External Key for Managed HSM with EKM, proceed by enabling Customer Managed Keys for your Azure Storage Encryption. See Azure services supporting CMK.
When Azure Services performs crypto operations against the External Managed HSM Key, Managed HSM communicates with the EKM Proxy via Proxy API to perform the requested operation in your on-premise Primus HSM or your CloudHSM Partition.
Troubleshooting
In case you're having issues with your Azure Managed HSM look for EKM Proxy events within your Azure Managed HSM Diagnostic Logs
Look for new events with OperationName:
EkmGetKeyMetadataEkmGetProxyInfoEkmUnwrapKeyEkmWrapKey
Example diagnostic log query:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| project TimeGenerated, Resource, OperationName, requestUri_s, ResultType, ResultDescription
| where OperationName contains "Ekm"
For issues with the Securosys EKM Proxy, inspect the Docker container logs: docker logs azure_ekm_proxy
For issues with the Primus HSM, ask your HSM administrator to look at the Primus HSM Security Log.