Menu
Azure Architecture Blog·July 7, 2026

External Key Management for Azure Managed HSM

This article announces the public preview of external key management for Azure Managed HSM, enhancing data security and compliance for cloud environments. It discusses how organizations can now manage cryptographic keys outside of Azure, maintaining greater control over their root of trust while leveraging Azure's FIPS 140-2 Level 3 validated HSMs. This capability is crucial for highly regulated industries requiring strict separation of duties and complete key lifecycle control.

Read original on Azure Architecture Blog

Introduction to External Key Management (EKM)

External Key Management (EKM) allows organizations to store and manage their cryptographic keys in an external Hardware Security Module (HSM) or key management system, while still using cloud services for data encryption. This model is particularly beneficial for highly regulated industries that require complete control over the key's lifecycle and its physical location, even when data resides in the cloud. The key material itself never leaves the customer's on-premises environment or a third-party key provider chosen by the customer.

Architectural Benefits for Cloud Security

  • Enhanced Control: Customers maintain direct control over the root of trust, often meeting stringent compliance requirements that mandate physical or logical separation of key management from cloud provider infrastructure.
  • Regulatory Compliance: Addresses regulatory mandates like GDPR, HIPAA, and various industry-specific certifications that require keys to be managed and controlled outside the cloud service provider's direct purview.
  • Reduced Vendor Lock-in: Provides flexibility to switch cloud providers or utilize multi-cloud strategies, as the core encryption keys are portable and managed independently.
  • Separation of Duties: Enforces a strong separation of duties, where cloud administrators do not have access to the cryptographic keys, and key administrators do not have access to the data itself.

Azure Managed HSM Integration

Azure Managed HSM provides a fully managed, highly available, single-tenant, standards-compliant cloud service that safeguards cryptographic keys for your cloud applications. With the public preview of EKM, it integrates with external key sources, allowing Azure resources (like databases, storage, and VMs) to leverage keys managed externally. This is achieved by establishing a secure, auditable connection between Azure's encryption services and the customer's EKM solution, ensuring all cryptographic operations are performed using the externally managed key while the key material itself remains external.

💡

Key Architectural Consideration

When designing systems requiring high security and compliance, evaluate the trade-offs between cloud-native key management services and External Key Management. EKM introduces additional complexity in setup and operational overhead but offers unparalleled control and addresses specific regulatory requirements.

key managementHSMAzurecryptographycloud securitycomplianceEKMdata encryption

Comments

Loading comments...