Table of Contents
2
Home » Wiki » Software Protected vs HSM Protected Keys in Azure Key Vault

Software Protected vs HSM Protected Keys in Azure Key Vault

by | Comparison

Software Protected vs HSM Protected Keys

Understand the Difference Between Software Protected and HSM Protected Keys

Encryption keys are the backbone of any robust cybersecurity strategy, protecting sensitive data from unauthorized access. However, the method used to safeguard these keys can have significant implications for an organization’s overall security posture. The distinction between Software Protected vs HSM Protected Keys is a crucial factor to consider when implementing an effective cryptographic solution.

Software-based key protection offers convenience and flexibility, but may be vulnerable to various attack vectors. In contrast, Hardware Security Modules (HSMs) provide a tamper-resistant, hardware-based approach to key management, offering enhanced security at the expense of some flexibility.

Understanding the trade-offs between these two key protection methods is essential for organizations seeking to strike the right balance between security and operational efficiency.

Key Takeaways

  • Software-protected keys use Azure service encryption to encrypt keys at rest and in transit. HSM-protected keys use dedicated HSM devices for key generation, storage, and cryptographic operations.
  • Software-protected keys offer basic protection for dev/test applications. HSM-protected keys provide enhanced security and are recommended for production applications.
  • Microsoft fully manages software-protected keys. HSM-protected keys enable you to maintain control via BYOK and full administration.
  • HSM-protected keys meet higher regulatory compliance requirements compared to software-protected keys.
  • HSM-protected keys incur additional costs for dedicated HSM devices, while software-protected keys have no added fees.
Also Read: What are Digital Certificates: Everything You Need to Know About It

Software Protected vs HSM Protected Keys: A Quick Comparison

Factor Software Protected Keys HSM Protected Keys
Key Protection Azure service encryption FIPS 140-2 Level 2 HSM
Key Accessibility Global, multi-region Single region
Key Lifecycle Fully managed by Microsoft Microsoft or customer managed
Use Cases Non-production, dev/test Production, regulated workloads
Security Level Baseline Enhanced
Compliance General cloud security standards FIPS, PCI DSS, HIPAA etc.
High Availability Multi-region redundancy HSM clusters with redundancy
Cost No additional costs Increased HSM costs

A Basic Overview of Software-Protected Keys

Software-protected keys in Azure Key Vault rely on the cryptographic key material being secured by Azure’s industry-standard encryption practices. When you create keys in a software-protected Key Vault, the key material is generated inside Microsoft’s secure cryptographic boundary and stored in Azure’s storage infrastructure.

Some of the main characteristics of software-protected keys are:

Azure Service Encryption for Keys at Rest and In Transit

  • The key material for software-protected keys is encrypted at rest using 256-bit AES encryption. This protects the keys when stored in Azure storage.
  • All communications to and from the Azure Key Vault service are secured using TLS 1.2 protocol with at least 2048-bit RSA keys. This ensures the keys are in transit.

Microsoft Managed Key Lifecycle

  • Microsoft manages the entire lifecycle of software-protected keys, including key generation, storage, backup, replication, and cryptographic operations.
  • When using software-protected keys, you do not have to provision or maintain any cryptographic infrastructure. Microsoft handles it behind the scenes.

Keys Accessible from Any Azure Region

  • Software-protected keys are accessible from any Azure region that has access to the Azure Key Vault service.
  • This provides high availability since keys can be retrieved from multiple areas in the event of an outage.

Basic Protection for Dev/Test

  • Software-protected keys offer a baseline level of protection that secures keys from external threats.
  • They are suitable for securing keys used for development, testing, and QA purposes.
  • For production workloads with high-security requirements, HSM-protected keys are recommended instead.

No Hardware Requirements

  • Software-protected keys do not require dedicated HSM devices. Microsoft secures them using Azure’s encryption practices.
  • This helps reduce costs since you don’t have to purchase and maintain HSMs.

A Basic Overview of HSM-Protected Keys

HSM-protected keys in Azure Key Vault safeguard your cryptographic keys using FIPS 140-2 Level 2 validated Hardware Security Modules (HSMs). The key material is generated inside the HSM device and never leaves the HSM boundary unencrypted.

Here are some key aspects of HSM-protected keys:

FIPS 140-2 Level 2 Validated HSM

  • HSM-protected keys use hardened, tamper-resistant HSM devices that meet stringent FIPS 140-2 Level 2 security standards.
  • This provides enhanced security compared to software-only protection. Keys are secured within the cryptographic boundary of the HSM.

Private Keys Never Leave HSM

  • The private key material for HSM-protected keys is generated inside the HSM and never leaves the HSM unencrypted.
  • The key material is encrypted when outside the HSM boundary during backup, replication, and transport between HSMs.

Microsoft Managed or Customer Managed

  • HSM-protected keys are available in two flavors: Microsoft-managed HSMs or customer-managed HSMs via Bring Your Own Key (BYOK).
  • Microsoft-managed HSMs are dedicated HSM devices that are fully managed and maintained by Microsoft.
  • BYOK allows you to generate and transfer keys from on-premises HSMs to Azure Key Vault HSMs. You retain control.

Enhanced Access Control

  • HSM-protected keys offer enhanced authorization and access control via Managed HSM and role separation.
  • Security officers approve key operations. Cryptographic officers perform cryptographic operations.

Zones Redundant HSM Clusters

  • HSM-protected keys are stored in zones redundant HSM clusters to provide high availability and resiliency.
  • Redundant HSMs across availability zones ensure continued access to keys during outages.

Supports Major Compliance Standards

  • HSM-protected keys comply with standards like FIPS 140-2, PCI DSS, and HIPAA for applications with stringent regulatory requirements.
  • The level of security is suitable for financial, healthcare, government, and other highly regulated industries.

Increased Costs

  • The enhanced security of HSM-protected keys comes at an added cost, as dedicated HSM devices must be provisioned and maintained.
  • Software-protected keys have no hardware requirements and, hence, no additional costs.

When to Use Software-Protected Keys

Here are some common scenarios where using software-protected keys in Azure Key Vault would be an appropriate choice:

Non-Production Environments

Software-protected keys provide an adequate level of security for development, testing, and QA environments. They can help secure keys used by dev/test resources without needing dedicated HSM devices.

New Cloud Applications

Software-protected keys can provide a cost-effective key management solution for new cloud-native applications that do not have external regulatory requirements.

Basic Key Protection

If your application’s keys only need basic protection against external threats, opting for software-protected keys would be sufficient. They provide good baseline security.

Cost-Sensitive Scenarios

When budget is a constraint, software-protected keys allow you to store keys securely without the additional costs of procuring HSMs. The lower cost makes them suitable for less sensitive workloads.

Frequent Key Generation

Applications that frequently require generating new keys for short-lived processes can benefit from the on-demand availability and elastic scale of software-protected keys.

Non-Sensitive Data

For workloads involving non-sensitive data and keys, the level of security provided by software-protected keys is adequate. The additional security of HSM keys is not required.

When to Use HSM-Protected Keys

Here are some common situations where using HSM-protected keys in Azure Key Vault would be the recommended approach:

Production Applications

For production applications and workloads, especially those processing sensitive data, HSM protected keys provide the necessary level of security for key management.

Regulatory Compliance Requirements

Applications in regulated industries like healthcare, finance, and government with compliance requirements like FIPS, PCI DSS, HIPAA, etc., can benefit from the enhanced security assurances of HSM-protected keys.

Extra Protection for Critical Keys

For highly sensitive applications that require extra assurance and protection for cryptographic keys, HSM protected keys provide that additional level of security.

Long Term Key Retention

If an application needs to retain keys for more than 12 months, HSM keys provide the necessary durability and protection against threats.

Hardware Root of Trust

For the maximum root of trust in cryptographic operations, HSM-protected keys leverage dedicated HSM devices, providing hardware-based trust assurance.

Key Operations from On-Prem

If cryptographic operations on keys need to be performed from on-premises applications behind the firewall, BYOK enables this securely via on-prem HSM integration.

HSM Protected Keys – Microsoft Managed HSM vs BYOK

When opting for HSM-protected keys, you have the choice between Microsoft-managed HSMs or customer-managed HSMs via BYOK (Bring Your Key). Here’s a comparison between the two flavors of HSM-protected keys:

Microsoft Managed HSM

  • Microsoft fully deploys, provisiones, and maintains HSM devices.
  • It is easy to enable since Microsoft handles the HSM infrastructure.
  • Microsoft personnel have administrative access to the HSM devices.
  • It is well suited if you want a fully managed HSM service.

BYOK (Bring Your Key)

  • You generate and transfer keys from your on-premises HSM to Azure Key Vault HSMs.
  • Retain full control and ownership of the world’s security contents.
  • Microsoft has no access to your HSM partition contents.
  • Comply with regulations restricting 3rd party access to keys.

Key Administration and Operations

  • With Microsoft-managed HSMs, all key administrative tasks like registration, backup, and redundancy are handled by Microsoft.
  • You perform your administration for BYOK, such as periodic key backups, log uploads, and redundancy configuration.
  • Microsoft-managed HSMs provide built-in high availability with auto-failover across HSM clusters.
  • BYOK requires setting up redundancy across multiple Azure regions for high availability.

Cryptographic Operations

  • For Microsoft-managed HSMs, your application code can directly integrate with Key Vault APIs to perform cryptographic operations using the keys.
  • With BYOK, cryptographic operations must be performed from the on-prem HSM. Keys can never leave the HSM.
  • The Microsoft-managed model provides simpler application integration and development.

Cost Considerations

  • Microsoft-managed HSMs have a straightforward hourly pricing model based on a number of HSM clusters provisioned.
  • BYOK only incurs charges for Key Vault service usage. However, you must own compatible HSM devices on-premises.
  • Microsoft-managed HSMs involve additional operational expenses for the patches, upgrades, maintenance, etc.

Compliance Standards

  • Both options comply with standards like FIPS 140-2 Level 2, PCI DSS, and HIPAA for cryptographic key protection.
  • For some applications, BYOK may provide higher assurances for standards compliance by retaining keys on-premises.

Final Thoughts

Azure Key Vault provides two key protection options – software-protected and HSM-protected keys. Software keys rely on Azure encryption to secure keys at rest and in transit. They provide basic security for non-production workloads at no added cost. HSM keys use dedicated HSM devices to safeguard keys, meeting higher compliance standards for production apps. HSM keys enable BYOK support for importing existing on-prem keys.

Organizations should evaluate their security needs, compliance requirements, and budgets when deciding between software and HSM-protected keys. Software keys are suitable for dev/test environments and new cloud apps needing cost-effective protection. HSM keys are recommended for regulated workloads, production systems, and long-term retention of critical keys. The choice impacts security posture, operations, integration complexity, and costs.

Frequently Asked Questions

When should I use software-protected keys?

Use software-protected keys for non-production environments, new cloud apps, cost-sensitive workloads, frequent key generation needs, and non-sensitive data. They provide adequate security at lower costs.

When should I use HSM-protected keys?

Use HSM-protected keys for production apps, regulated workloads, long-term retention, hardware root of trust needs, and on-premises cryptographic operations. They provide enhanced security assurances.

What are the differences between Microsoft-managed HSMs and BYOK?

The main differences are in control over keys, admin responsibilities, cryptographic operations, high availability, and costs. Microsoft-managed HSMs offer fully managed service, while BYOK allows you to retain control of keys.

Does Azure Key Vault allow importing existing keys from on-premises?

Yes, Azure Key Vault’s BYOK (Bring Your Own Key) feature enables you to securely generate keys in on-premises HSMs and import them into Azure Key Vault HSMs, allowing you to continue using your existing keys.

Can I access my HSM-protected keys from multiple Azure regions?

No, HSM-protected keys are confined to a single Azure region since they rely on physical HSM devices. For multi-region access, you need to create keys in multiple regional Key Vault instances.

What cryptographic operations can be performed on keys in Azure Key Vault?

Azure Key Vault supports cryptographic operations like encrypting, decrypting, wrapping, unwrapping, signing, verifying, and obtaining a public key. Which operations are allowed depends on whether keys are software or HSM-protected.

Does Azure Key Vault allow importing existing certificates along with private keys?

Yes, Azure Key Vault supports importing existing certificates along with their private keys. Depending on your requirements, the keys can be software-protected or HSM-protected. This provides central lifecycle management of existing certificates.

What compliance standards does Azure Key Vault support?

Azure Key Vault complies with standards like FIPS 140-2, PCI DSS, HIPAA, and GDPR for key management scenarios. The level of compliance depends on whether software or HSM-protected keys are used.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.

Related Articles:

DV SSL vs OV SSL CertificatesDV SSL vs OV SSL Certificates Root CA vs Intermediate CARoot CA vs Intermediate CA SHA1 vs SHA2 vs SHA256 vs SHA512SHA1 vs SHA2 vs SHA256 vs SHA512 Hash Algorithms