locked
Can I migrate to HSM after deployment of RMS? RRS feed

  • Question

  • Hi,

    I have a client who are considering using an HSM with their AD RMS deployment, but they don't like the fact that it is so expensive. They are wondering if they can deploy AD RMS initially and then migrate the private keys to an HSM device at a later stage?

    I can't seem to find any information online about whether or not this is possible. I suspect that a new RMS deployment would be needed - can anyone confirm?

     

    Thanks.

    Tuesday, August 23, 2011 3:18 PM

Answers

  • Hey folks, Turgay's answer is correct. In general, the HSM vendor-specific guidance (such as from either Safenet or Thales in these cases) needs to be followed to make an HSM device work with AD RMS, but we do have some general guidance available on using HSMs with AD RMS that is now available here: Using AD RMS with Hardware Security Modules (http://technet.microsoft.com/en-us/library/jj651024.aspx).

    Hope that helps!


    Brad Mahugh
    Senior Technical Writer
    AD information eXperience (iX)
    Microsoft Corporation
    ------------------------
    This post is provided "AS IS" and confers no promises of current or future technical support for a specific support issue. Please use Microsoft product support if you need a service commitment for your current support case or issue. If this answer has been helpful to you, please vote for it or "Propose as Answer" as that will enable me to better know I have helped you or inform others that this reply can be useful to them should they have a similar question or issue.


    Wednesday, December 12, 2012 8:37 PM

All replies

  • Hi,

    You will need to deploy a new RMS installation using HSM and create a trust with the old one.

    There is no Microsoft supported way of moving from software based key protection to HSM based. So it would be much better to start with HSM in place if you are planning to use it later.

    Turgay

    Wednesday, August 24, 2011 10:07 AM
  • Hey folks, Turgay's answer is correct. In general, the HSM vendor-specific guidance (such as from either Safenet or Thales in these cases) needs to be followed to make an HSM device work with AD RMS, but we do have some general guidance available on using HSMs with AD RMS that is now available here: Using AD RMS with Hardware Security Modules (http://technet.microsoft.com/en-us/library/jj651024.aspx).

    Hope that helps!


    Brad Mahugh
    Senior Technical Writer
    AD information eXperience (iX)
    Microsoft Corporation
    ------------------------
    This post is provided "AS IS" and confers no promises of current or future technical support for a specific support issue. Please use Microsoft product support if you need a service commitment for your current support case or issue. If this answer has been helpful to you, please vote for it or "Propose as Answer" as that will enable me to better know I have helped you or inform others that this reply can be useful to them should they have a similar question or issue.


    Wednesday, December 12, 2012 8:37 PM