General Availability: Key Attestation for Azure Managed HSM

We are excited to announce the General Availability of Key attestation for Azure Key Vault Managed HSM. 

Key attestation for Azure Managed HSM enables a way to validate the origin and integrity of cryptographic keys generated and stored within a trusted, FIPS 140-3 Level 3 certified HSM. This thereby enhances trust in key management processes by offering transparency and further enables compliance with strict security standards. This feature is especially valuable in scenarios where customers need assurance that their keys are protected from unauthorized access, even from cloud providers.  

The key attestation process has four steps: 

1. Downloading or cloning the open source Python scripts and requirements from our Github repository
2. Setting up a virtual environment and installing the required Python packages
3. Retrieving key attestation data from the HSM via CLI
4. Verifying the key’s authenticity and the attestation data file, and viewing parsed attributes of the attestation binary via the open source Python script. When running the script in verbose mode, you can see how we establish a certificate chain validation and which certificates are used to verify the integrity of the attestation blob. You can validate the certificates we use in /src/vendor/marvell/marvell_validate_key_attestation.py. 

To learn more and try it out yourself, see the Key attestation product documentation.