This article announces the public preview of external key management for Azure Managed HSM, enhancing data security and compliance for cloud environments. It discusses how organizations can now manage cryptographic keys outside of Azure, maintaining greater control over their root of trust while leveraging Azure's FIPS 140-2 Level 3 validated HSMs. This capability is crucial for highly regulated industries requiring strict separation of duties and complete key lifecycle control.
Read original on Azure Architecture BlogExternal Key Management (EKM) allows organizations to store and manage their cryptographic keys in an external Hardware Security Module (HSM) or key management system, while still using cloud services for data encryption. This model is particularly beneficial for highly regulated industries that require complete control over the key's lifecycle and its physical location, even when data resides in the cloud. The key material itself never leaves the customer's on-premises environment or a third-party key provider chosen by the customer.
Azure Managed HSM provides a fully managed, highly available, single-tenant, standards-compliant cloud service that safeguards cryptographic keys for your cloud applications. With the public preview of EKM, it integrates with external key sources, allowing Azure resources (like databases, storage, and VMs) to leverage keys managed externally. This is achieved by establishing a secure, auditable connection between Azure's encryption services and the customer's EKM solution, ensuring all cryptographic operations are performed using the externally managed key while the key material itself remains external.
Key Architectural Consideration
When designing systems requiring high security and compliance, evaluate the trade-offs between cloud-native key management services and External Key Management. EKM introduces additional complexity in setup and operational overhead but offers unparalleled control and addresses specific regulatory requirements.