Hello grundlichkeit
There are two ways to leverage BYOK scenario . You can import HSM protected keys to Key vault or you can use Azure Dedicated HSM itself.
You can import or generate keys in hardware security modules that wont leave the HSM boundary . The key can be then imported to Key vault. Key vault uses nCipher nShield / thales family of HSM mdoules to protect your keys. I would suggest to go though the
following articles.
Import HSM protected Keys to Key vault
Import HSM-protected Keys to Key vault(preview)
There are some limitations though as the service is ever evolving and we continue to add new features to the same. Currently Importing 1024-bit keys or EC(Elliptic curve) key is not supported .
Alternatively you can use Azure Dedicated HSM service to store your Keys (BYOK scenario) . Azure Dedicated HSM is a service that provides FIPS 140-2 L3 complaint hardware in Azure where you can store your cryptographic keys. Its a service where a HSM
module will be made available for you and associated to a virtual network within your subscription. This is not currently configurable using Azure Portal and can only be
configured using powershell or
Azure CLI .
This
service is available in some regions and we continue to add new regions to it . Please check availability before deployment.
Hope the information was helpful . Please go through the links provided and it would provide you enough information to get started. In case you have any further query . please let us know and we will be happy to help . In case the information provided helped
, please do mark it as answer in the interest of the community.
Also as my colleague SumanthMarigowda-MSFT pointed
out , we are going to transition from MSDN forums to
Microsoft QnA which will be new home for Azure products related community. I would strongly encourage you to check the same and post any future queries there.
Thank you.
Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!
