Azure Managed HSM External Key Management
Azure Managed HSM external key management within Azure's Key Vault portfolio is a feature set for managing encryption keys outside core cloud infrastructure while still using them to protect data in Azure services. This feature supports regulatory and sovereignty demands by ensuring cryptographic material resides under the customer’s governance rather than the cloud provider’s.
External key management keeps cryptographic key operations and control wholly outside Azure's environment, never moving the keys into the cloud. Azure services call out to the external HSM for cryptographic operations. The connection between Azure and the external HSM is done through an "EKM Proxy". This is in contrast with Azure Bring Your Own Key (BYOK), which allows customers to generate keys outside the cloud and permanently import them into Azure Key Vault for in-cloud use.
Azure EKM stems from compliance and audit requirements in regulated industries (financial services, healthcare, government, data sovereignty regimes) where independent proof of custodian control is mandated. Customers pursuing these models require FIPS 140-3 Level 3 or higher HSM certifications, Common Criteria validations, and stringent logging/audit trails to satisfy auditors and regulators that key material and usage are outside cloud provider access and control, reducing risks of unauthorized access and satisfying legal requirements around data sovereignty and third-party access.
The connection between Azure Managed HSM and Securosys HSM is enabled through the Securosys External Key Management (EKM) Proxy, which acts as a controlled mediation layer between Azure workloads and dedicated HSM Partitions. The Proxy securely connects Azure Managed HSM to either a Securosys CloudHSM or an on-premise Securosys Primus HSM. The Proxy is deployed as a Docker container in a customer-controlled environment, including Azure cloud or on-premise infrastructure.
Integration with Securosys Primus HSM and CloudHSM

Securosys provides a dedicated Securosys External Key Management Proxy for Azure Managed HSM (abbreviated as EKM Proxy) that implements Azure's API. This enables Azure Key Vault Managed HSM to use an on-premise Primus HSM or a CloudHSM as an external KMS.
This proxy is developed, maintained, and supported by Securosys, and is distributed as an easy-to-deploy Docker container. The EKM Proxy is responsible for translating and forwarding the requests from Azure to your Primus HSM or CloudHSM Partition.
The setup process is straightforward: users deploy the proxy container and configure it with a YAML file that defines the connection to their Primus HSM or CloudHSM Partition. The proxy communicates securely with Azure using mTLS.
For more information on how to deploy the Securosys proxy see the Installation section.
Architecture and Operation
The Securosys EKM Proxy enables Azure services to perform cryptographic operations using externally managed Key Encryption Keys (KEKs) while the key material remains in the external HSM environment.
When an Azure service performs a cryptographic operation using an external key, the request is processed by Azure Managed HSM and sent to the Securosys EKM Proxy through the Proxy API. The proxy forwards the request to the connected Securosys HSM environment, where the requested cryptographic operation is executed. The result is then returned through the proxy to Azure Managed HSM.
Communication between Azure Managed HSM and the Securosys EKM Proxy is secured using mutual TLS (mTLS). This ensures that both the Managed HSM pool and the proxy service authenticate each other before any cryptographic operation is processed. It also ensures confidentiality of the request and its result.
A single Securosys EKM Proxy instance can serve multiple Azure Managed HSM pools. To support this architecture, the proxy URI includes an optional path prefix that allows logical separation of tenants or individual Managed HSM pools while using the same proxy service. However, every Securosys EKM Proxy instance can only be connected to a single Securosys HSM Partition. If you have multiple Partitions, you need to deploy multiple proxy instances.
The Proxy API is limited to performing cryptographic operations. It does not provide functionality for key lifecycle management within the external key management system. Keys must be created and managed directly within the Securosys HSM environment before they can be associated with a corresponding key in Azure Managed HSM.
Supported Operations
Azure services that integrate with Managed HSM rely on Key Encryption Keys stored in the external HSM to protect Data Encryption Keys or intermediate keys. The Proxy API therefore exposes the required key types and cryptographic operations needed for these use cases. Requests and responses are exchanged as JSON objects over HTTPS, and each request contains contextual information that allows correlation between Azure Managed HSM audit logs and the logs generated by the Securosys EKM Proxy.
The following API operations are supported:
| Operation | Description |
|---|---|
| Get Proxy | Information Provides proxy details such as highest API version and additional relevant information. This API can also be used to verify the EKM Proxy’s reachability and availability. |
| Get Key Metadata | Gets metadata for an external key such as key type, size and supported operations. |
| Wrap Key | Wraps a cryptographic key. |
| Unwrap Key | Unwraps a previously wrapped key. |
See Azure services supporting CMK for all services supported by Azure external key management and Securosys EKM Proxy integration.
Performance Requirements
For proper operation, the Securosys EKM Proxy is expected to respond to API requests within 250 milliseconds. If Azure Managed HSM does not receive a response within this time window, the request will time out.
Next Steps
- Read the quickstart guide for an overview of the installation steps.
- Follow the installation guide to set up Azure external key management with a Primus HSM or CloudHSM.
- Download the Securosys EKM Proxy.