What is Azure Key Vault Managed HSM?
Important
We are updating our HSM fleet to a FIPS 140-3 level 3 validated firmware for both Azure Key Vault Managed HSM and Azure Key Vault Premium. See full details at Updating Managed HSM Firmware for Enhanced Security and Compliance.
Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. It is one of several key management solutions in Azure .
For pricing information, see Managed HSM Pools section on Azure Key Vault pricing page. For supported key types, see About keys.
The term "Managed HSM instance" is synonymous with "Managed HSM pool". To avoid confusion, we use "Managed HSM instance" throughout these articles.
Why use Managed HSM?
Fully managed, highly available, single-tenant HSM as a service
- Fully managed: The service handles HSM provisioning, configuration, patching, and maintenance.
- Highly available: Each HSM cluster consists of multiple HSM partitions. If the hardware fails, member partitions for your HSM cluster are automatically migrated to healthy nodes. For more information, see Managed HSM Service Level Agreement
- Single-tenant: Each Managed HSM instance is dedicated to a single customer and consists of a cluster of multiple HSM partitions. Each HSM cluster uses a separate customer-specific security domain that cryptographically isolates each customer's HSM cluster.
Access control, enhanced data protection & compliance
- Centralized key management: Manage critical, high-value keys across your organization in one place. With granular per key permissions, control access to each key on the 'least privileged access' principle.
- Isolated access control: Managed HSM "local RBAC" access control model allows designated HSM cluster administrators to have complete control over the HSMs that even management group, subscription, or resource group administrators cannot override.
- Private endpoints: Use private endpoints to securely and privately connect to Managed HSM from your application running in a virtual network.
- FIPS 140-2 Level 3 validated HSMs: Protect your data and meet compliance requirements with FIPS (Federal Information Protection Standard) 140-2 Level 3 validated HSMs. Managed HSMs use Marvell LiquidSecurity HSM adapters.
- Monitor and audit: fully integrated with Azure monitor. Get complete logs of all activity via Azure Monitor. Use Azure Log Analytics for analytics and alerts.
- Data residency: Managed HSM doesn't store/process customer data outside the region the customer deploys the HSM instance in.
Integrated with Azure and Azure PaaS/SaaS services
- Generate (or import using BYOK) keys and use them to encrypt your data at rest in Azure services such as Azure Storage, Azure SQL, Azure Information Protection, and Customer Key for Microsoft 365. For a more complete list of Azure services which work with Managed HSM, see Data Encryption Models.
Uses same API and management interfaces as Key Vault
- Easily migrate your existing applications that use a vault (a multi-tenant) to use Managed HSMs.
- Use same application development and deployment patterns for all your applications irrespective of key management solution in use: multi-tenant vaults or single-tenant Managed HSMs.
Import keys from your on-premises HSMs
- Generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM.
Next steps
- For technical details, see How Managed HSM implements key sovereignty, availability, performance, and scalability without tradeoffs
- See Quickstart: Provision and activate a managed HSM using Azure CLI to create and activate a managed HSM
- Azure Managed HSM security baseline
- See Best Practices using Azure Key Vault Managed HSM
- Managed HSM Status
- Managed HSM Service Level Agreement
- Managed HSM region availability
- What is Zero Trust?