Azure Bring Your Own Key (BYOK)
Azure Key Vault is a managed service that enables you to safeguard cryptographic keys and other secrets used by cloud applications and services. With Azure Key Vault, you can easily create, store, and control access to keys used to encrypt your data, as well as secrets such as passwords, API keys, and certificates. Azure Key Vault seamlessly integrates with Azure services and provides a secure and centralized solution for key management.
Securosys CloudHSM is a Hardware Security Module (HSM) available as cloud service, without having to worry about time consuming things like evaluation, setup, operation, redundancy, and maintenance of the HSM infrastructure. Securosys CloudHSM is built with a geo-redundant architecture and scales according to your needs.
With Azure BYOK (Bring Your Own Key) you can bring keys generated on a Securosys HSM to Azure. This gives you greater control over the lifecycle, security, and durability of your keys, to enhance the security of your data and to meet regulatory requirements.
This guide describes how to integrate Securosys CloudHSM (HSM as a Service) or an on-premise Primus HSM cluster with Azure Key Vault.
Architecture
When using BYOK with Azure, you create a key on an external HSM controlled by you (and not Azure). You then import this key into Azure. Note that this means that Azure receives a copy of the secret key.
Using BYOK with Azure has the following advantages:
- Use an existing key and bring it to Azure (for example, an existing PKI signing key)
- Keep a copy of the key outside of Azure (for example, for disaster recovery)
- Generate the key with a trusted source of entropy
- Meet regulatory requirements
If you want to fully keep your keys in your own HSM (instead of copying them to Azure), take a look at the Securosys 365 (Double Key Encryption) documentation.
Target Audience
This document is intended for Securosys Primus HSM or CloudHSM administrators and IT professionals. The Azure BYOK Procedure requires that you are already familiar with Microsoft Azure.
For on-premise HSMs, administrative skills with the Primus HSMs are required.
Support Contact
If you encounter a problem, please make sure that you have read the documentation. If you cannot resolve the issue, contact Securosys Customer Support.
What's Next
- Consult the Quickstart page for a quick overview.
- Follow the Installation guide.
- Step through the Tutorial.