Forum Discussion

umamasurkar28's avatar
umamasurkar28
Icon for Microsoft rankMicrosoft
Nov 19, 2025

Azure Cloud HSM: Secure, Compliant & Ready for Enterprise Migration

Azure Cloud HSM is Microsoft’s single-tenant, FIPS 140-3 Level 3 validated hardware security module service, designed for organizations that need full administrative control over cryptographic keys in the cloud. It’s ideal for migration scenarios, especially when moving on-premises HSM workloads to Azure with minimal application changes.

Onboarding & Availability

  • No Registration or Allowlist Needed: Azure Cloud HSM is accessible to all customers no special onboarding or monetary policy required.
  • Regional Availability:
    • Private Preview: UK West
    • Public Preview (March 2025): East US, West US, West Europe, North Europe, UK West
    • General Availability (June 2025): All public, US Gov, and AGC regions where Azure Managed HSM is available

Choosing the Right Azure HSM Solution

Azure offers several key management options:

  • Azure Key Vault (Standard/Premium)
  • Azure Managed HSM
  • Azure Payment HSM
  • Azure Cloud HSM

Cloud HSM is best for:

  • Migrating existing on-premises HSM workloads to Azure
  • Applications running in Azure VMs or Web Apps that require direct HSM integration
  • Shrink-wrapped software in IaaS models supporting HSM key stores

Common Use Cases:

  • ADCS (Active Directory Certificate Services)
  • SSL/TLS offload for Nginx and Apache
  • Document and code signing
  • Java apps needing JCE provider
  • SQL Server TDE (IaaS) via EKM
  • Oracle TDE

Deployment Best Practices

1. Resource Group Strategy

  • Deploy the Cloud HSM resource in a dedicated resource group (e.g., CHSM-SERVER-RG).
  • Deploy client resources (VM, VNET, Private DNS Zone, Private Endpoint) in a separate group (e.g., CHSM-CLIENT-RG)

2. Domain Name Reuse Policy

  • Each Cloud HSM requires a unique domain name, constructed from the resource name and a deterministic hash.
  • Four reuse types: Tenant, Subscription, ResourceGroup, and NoReuse choose based on your naming and recovery needs.

3. Step-by-Step Deployment

  • Provision Cloud HSM: Use Azure Portal, PowerShell, or CLI. Provisioning takes ~10 minutes.
  • Register Resource Provider: (Register-AzResourceProvider -ProviderNamespace Microsoft.HardwareSecurityModules)
  • Create VNET & Private DNS Zone: Set up networking in the client resource group.
  • Create Private Endpoint: Connect the HSM to your VNET for secure, private access.
  • Deploy Admin VM: Use a supported OS (Windows Server, Ubuntu, RHEL, CBL Mariner) and download the Azure Cloud HSM SDK from GitHub.

Initialize and Configure

  • Edit azcloudhsm_resource.cfg:
    • Set the hostname to the private link FQDN for hsm1 (found in the Private Endpoint DNS config).
  • Initialize Cluster:
    • Use the management utility (azcloudhsm_mgmt_util) to connect to server 0 and complete initialization.
  • Partition Owner Key Management:
    • Generate the PO key securely (preferably offline).
    • Store PO.key on encrypted USB in a physical safe.
    • Sign the partition cert and upload it to the HSM.
  • Promote Roles:
    • Promote Precrypto Officer (PRECO) to Crypto Officer (CO) and set strong password

Security, Compliance, and Operations

  • Single-Tenant Isolation: Only your organization has admin access to your HSM cluster.
  • No Microsoft Access: Microsoft cannot access your keys or credentials.
  • FIPS 140-3 Level 3 Compliance: All hardware and firmware are validated and maintained by Microsoft and the HSM vendor.
  • Tamper Protection: Physical and logical tamper events trigger key zeroization.
  • No Free Tier: Billing starts upon provisioning and includes all three HSM nodes in the cluster.
  • No Key Sharing with Azure Services: Cloud HSM is not integrated with other Azure services for key usage.

Operational Tips

  • Credential Management:
    • Store PO.key offline; use environment variables or Azure Key Vault for operational credentials.
    • Rotate credentials regularly and document all procedures.
  • Backup & Recovery:
    • Backups are automatic and encrypted; always confirm backup/restore after initialization.
  • Support:
    • All support is through Microsoft open a support request for any issues.
Azure Cloud HSM vs. Azure Managed HSM
Feature / AspectAzure Cloud HSMAzure Managed HSM

Deployment Model

Single-tenant, dedicated HSM cluster (Marvell LiquidSecurity hardware)

Multi-tenant, fully managed HSM service

FIPS Certification

FIPS 140-3 Level 3

FIPS 140-2 Level 3

Administrative Control

Full admin control (Partition Owner, Crypto Officer, Crypto User roles)

Azure manages HSM lifecycle; customers manage keys and RBAC

Key Management

Customer-managed keys and partitions; direct HSM access

Azure-managed HSM; customer-managed keys via Azure APIs

Integration

PKCS#11, OpenSSL, JCE, KSP/CNG, direct SDK access

Azure REST APIs, Azure CLI, PowerShell, Key Vault SDKs

Use Cases

Migration from on-prem HSMs, legacy apps, custom PKI, direct cryptographic ops

Cloud-native apps, SaaS, PaaS, Azure-integrated workloads

Network Access

Private VNET only; not accessible by other Azure services

Accessible by Azure services (e.g., Storage, SQL, Disk Encryption)

Key Usage by Azure Services

Not supported (no integration with Azure services)

Supported (can be used for disk, storage, SQL encryption, etc.)

BYOK/Key Import

Supported (with key wrap methods)

Supported (with Azure Key Vault import tools)

Key Export

Supported (if enabled at key creation)

Supported (with exportable keys)

Billing

Hourly fee per cluster (3 HSMs per cluster); always-on

Consumption-based (per operation, per key, per hour)

Availability

High availability via 3-node cluster; automatic failover and backup

Geo-redundant, managed by Azure

Firmware Management

Microsoft manages firmware; customer cannot update

Fully managed by Azure

Compliance

Meets strictest compliance (FIPS 140-3 Level 3, single-tenant isolation)

Meets broad compliance (FIPS 140-2 Level 3, multi-tenant isolation)

Best For

Enterprises migrating on-prem HSM workloads, custom/legacy integration needs

Cloud-native workloads, Azure service integration, simplified management

When to Choose Each?
  • Azure Cloud HSM is ideal if you:
    • Need full administrative control and single-tenant isolation.
    • Are migrating existing on-premises HSM workloads to Azure.
    • Require direct HSM access for legacy or custom applications.
    • Need to meet the highest compliance standards (FIPS 140-3 Level 3).
  • Azure Managed HSM is best if you:
    • Want a fully managed, cloud-native HSM experience.
    • Need seamless integration with Azure services (Storage, SQL, Disk Encryption, etc.).
    • Prefer simplified key management with Azure RBAC and APIs.
    • Are building new applications or SaaS/PaaS solutions in Azure.
ScenarioRecommended Solution
Migrating on-prem HSM to AzureAzure Cloud HSM
Cloud-native app needing Azure service keysAzure Managed HSM
Custom PKI or direct cryptographic operationsAzure Cloud HSM
SaaS/PaaS with Azure integrationAzure Managed HSM
Highest compliance, single-tenant isolationAzure Cloud HSM
Simplified management, multi-tenantAzure Managed HSM

Azure Cloud HSM is the go-to solution for organizations migrating HSM-backed workloads to Azure, offering robust security, compliance, and operational flexibility. By following best practices for onboarding, deployment, and credential management, you can ensure a smooth and secure transition to the cloud.

 

azure
Azure Key Vault
azure security
security
No RepliesBe the first to reply

Resources