Blog Post

Azure Database for PostgreSQL Blog
4 MIN READ

Announcing support for Azure Key Vault Managed HSM with Azure PostgreSQL Flexible server

Gennadyk's avatar
Gennadyk
Icon for Microsoft rankMicrosoft
May 08, 2023

In December 2022, Microsoft Database for PostgreSQL - Flexible Server announced general availability of encryption at rest with Customer Managed Keys (CMK) feature. Data encryption at rest is a very important aspect of database security, as it transforms your data into unreadable code (ciphertext) using a cryptographic algorithm. Encryption encodes data, so only programs that know how to decode it can read it. It uses an algorithm—a set of ordered steps—to alter the information so that the receiving party can't read it without applying a similar algorithm to return it to its original state. In order for unauthorized users to decode and access sensitive information, they need to first decrypt the ciphertext using a cryptographic key – a secret key randomly generated by an algorithm. 

Many organizations require full control on access to the data using a customer-managed key. Data encryption with customer-managed keys for Azure Database for PostgreSQL Flexible server enables you to bring your own key (BYOK) for data protection at rest. It also allows organizations to implement separation of duties in the management of keys and data. With customer-managed encryption, you are responsible for, and in a full control of, a key's lifecycle, key usage permissions, and auditing of operations on keys.

Until now data encryption with customer-managed keys for Azure Database for PostgreSQL Flexible server supported Azure Key Vault (AKV) as encryption key store. Today we are proud to announce support for Azure Key Vault Managed HSM as a second encryption key store, in addition to Azure Key Vault.  

 

What is HSM?

Hardware security modules (HSMs) are hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates. HSMs are tested, validated and certified to the highest security standards including FIPS 140-2 and Common Criteria. Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. 

 

Advantages of Azure Key Vault Managed HSM service as cryptographic key store.

AKV Managed HSM service provides for following advantages:

  1.  Fully managed, highly available, single tenant HSM as a service
  2. Protects your data and meet compliance requirements with FIPS (Federal Information Protection Standard) 140-2 Level 3 validated HSMs. 
  3. Fully integrated with Azure monitor, you can get complete logs of all activity via Azure Monitor and import logs into Azure Log Analytics for analytics and alerts.
  4.  Compliant with data residency requirements in EU and other regions. Managed HSM doesn't store/process customer data outside the region the customer deploys the HSM instance in.
  5. Integrated with your on-premises HSMs. You can easily generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM.

Comparison of various Azure Key Management products is shown below: 

 

 

Azure Key Vault Standard

Azure Key Vault Premium

Azure Key Vault Managed HSM

Tenancy

Multi-Tenant

Multi-Tenant

Single-Tenant

Compliance

FIPS 140-2 level 1

FIPS 140-2 level 2

FIPS 140-2 level 3

High Availability

Automatic

Automatic

Automatic

Use cases

Encryption at Rest

Encryption at Rest

Encryption at Rest

Key Controls

Customer

Customer

Customer

Root of trust control

Microsoft

Microsoft

Customer

 

Using Managed HSM with PostgreSQL Flexible Server Customer Managed Key Features

Starting today, you can pick Managed HSM as key store, in addition to Azure Key Vault, when creating new PostgreSQL Flexible Server in Azure Portal with Customer Managed Key (CMK) feature, as shown in image below. 

The prerequisites in terms of user defined identity and permissions are same as with Azure Key Vault, as already listed in our docs.  More information on how to create Azure Key Vault  Managed HSM and import keys to it is available here.  

 

Addition of Azure Key Vault Managed HSM provides for even more compliant way to safeguard your cryptographic keys and assists in our goal to provide you with highest security and compliance offerings when you choose to deploy Microsoft Database for PostgreSQL - Flexible Server. 

We invite you to learn more about data encryption in PostgreSQL - Flexible Server with Customer Managed Keys and Azure Key Vault Managed HSM by reading following resources:

We look forward to hearing about your’ experience with this new CMK feature  on Flexible server. We’re always eager to hear customer feedback, so please reach out to us at Ask Azure DB for PostgreSQL.

To learn more about our Flexible Server managed service, see the Azure Database for PostgreSQL service page.

Updated May 07, 2023
Version 1.0
No CommentsBe the first to comment