Azure RMS BYOK, now without flying

Published Sep 08 2018 02:58 AM 274 Views
First published on CloudBlogs on Mar, 05 2014

Happy Wednesday,

One powerful feature of Windows Azure RMS is BYOK or Bring-Your-Own-Key. This feature is quite popular among customers with stringent security requirements (or, as I often say, the cloud using but also cloud reluctant crowd). We've tweaked our BYOK to not require flying to Redmond anymore...and no, this has nothing to do with Delta's recent changes to their frequent flyer program ;)

For those new to the BYOK offering, this feature allows Windows Azure RMS tenants to be in full control of their tenant key (the root of trust for RMS), and to 'pin their key' to a FIPS140-2 HSMs (hardware security modules). This feature is described in detail at .

Until now, for security reasons, the BYOK option has required tenants to fly to Redmond (where we are based) to import their key into Microsoft’s HSMs in person. Despite this requirement to visit us, the keys were still bound to HSMs in each of our main geographies: EU, US, or APAC. Said differently, though you made a trip to (rainy) Redmond, that requirement never did imply the keys would function with our US-based HSMs... something our friendly customers in the EU would prefer we not permit for obvious reasons.

Today we're happy to say that we added a significantly simpler and completely self-service option for BYOK. The new toolset enables you to transfer your key, from your on-premise HSM to Microsoft’s (per-GEO) HSMs, over the wire. There is no need to fly to Redmond anymore. Also, there is no need to spend a few hours with our friendly Azure RMS operators to execute the key ceremony'. By the way, if the concept of a 'key ceremony' means nothing to you, here is a video of a somewhat historical one.

We did this work in collaboration with our HSM partner Thales E-Security and so they vouch that this process results in a secure transfer of the key from your on-premises HSM into our data center HSMs in a manner that maintains the root principle of us never being able to see or export your key. This is described in this white paper from Thales:

Other than this new mechanism to import your key, all other aspects of BYOK stay the same. That includes pricing -- it is free -- as well as pre-requisites, restrictions, how Microsoft uses your key once you upload it, and how you get usage logs for your key.

The new toolset is in preview. If you would like to participate in this preview, please send email to to get started.

If you want to stay in touch with us, follow us on twitter ( @TheRMSGuy ) and join in our RMS peer community at .


Dan on behalf of the Rights Management team

Version history
Last update:
‎Sep 08 2018 02:58 AM