Today we are excited to release the public preview support for Azure Integrated HSM for AMD v7 Virtual Machines. As announced last year at Ignite, Azure Integrated HSM is hardware security module (HSM) cache and crypto offload designed to enhance the security and performance of cryptographic operations in virtual machines. For customers who heavily rely on cryptography and have performance-intensive workloads, Azure Integrated HSM provides a secure hardware-backed way to store cryptographic keys for fast and secure usage. This feature is available as part of our AMD D and E series v7 preview.
Azure also offers Azure Key Vault Managed HSM which is a fully managed, highly available, single-tenant cloud service that safeguards cryptographic keys using FIPS 140-3 Level 3 validated HSMs. While this model provides robust key protection, when workloads need to use their keys, they either incur network round-trip latency for calls to the network attached HSM service or, if their key policy permits, the workloads may request the release of their keys from the HSM and import them into their local environment. When keys are released from the HSM and imported into the workload’s environment, the security protection offered may become less than FIPS 140-3 Level 3. The server-local Azure Integrated HSM avoids this tradeoff. Azure Integrated HSM eliminates network roundtrips for key operations and avoids the need to release keys into the workload environment. Instead of relying on remote access, the Azure Integrated HSM is securely bound to the local workload and provides oracle-style key usage to authorized services within the local environment.
Azure Integrated HSM is designed to meet the Federal Information Processing Standards (FIPS) 140-3 Level 3 security requirements for cryptographic modules. Azure Integrated HSM protects keys and security assets while these assets are in-use. Azure Integrated HSM has specialized hardware cryptographic accelerators to perform encryption, decryption, signing, and verification operations while keys remain within the bounds of Azure Integrated HSM.
Availability
Azure Integrated HSM is now available to use in preview on the AMD v7 preview platform with support for our general purpose Dasv7-series, Dadsv7-series, Easv7-series and Eadsv7-series for 8 vCores VMs and above. Use of this feature requires the VM to be launched with Trusted Launch enabled. The Azure Integrated HSM preview will initially have Windows support only, with Linux support coming soon. This feature will be offered at no additional cost.
Please sign up for the AMD v7 preview and we will reach out to you with further information. Customers can also check out our GitHub repository with customer samples and instructions on how to use Azure Integrated HSM.
Microsoft