Azure Key Vault Premium: HSM-Backed Keys for Compliance - Part 1
When building secure cloud infrastructure, key management becomes one of the most critical decisions you'll make. The difference between storing your encryption keys in software versus hardware security modules (HSMs) isn't just a technical implementation detail; it's a compliance and risk management decision that affects your entire organization. This is Part 1 of a two-part series exploring Azure Key Vault Premium and Managed HSM, focusing on what sets them apart, and when to use each one.
If you're mixing Azure infrastructure with security requirements and compliance obligations, much like I prefer to keep my view as holistic as possible, understanding the nuances between these two options is essential.
What is Azure Key Vault Premium?
Azure Key Vault Premium is a multitenant, managed cloud service that provides Hardware Security Module (HSM) protection for your encryption keys. Unlike the Standard tier which uses software-based cryptography, Premium tier encrypts your keys using FIPS 140-3 Level 3 validated HSMs from Marvell LiquidSecurity.
Breaking this down:
- Multitenant architecture - Microsoft manages shared HSM infrastructure across many customers
- FIPS 140-3 Level 3 compliance - Hardware validated to the highest civilian security standard
- Marvell LiquidSecurity HSM adapters - Specialized hardware cryptographic processors that are tamper-resistant and dedicated
- Fully managed by Microsoft - Patching, firmware updates, hardware failover—all handled for you
- Regional deployment - Keys stored in Azure datacenters with high availability SLAs
The Multitenant Model in Azure Key Vault Premium
Here's an important distinction: Microsoft controls the root of trust. The HSM hardware is managed and operated by Azure Key Vault infrastructure team. Your keys are protected by HSM hardware, but Microsoft:
- Manages the HSM firmware and patches
- Controls physical access to the hardware
- Operates the hardware security module
- Has the technical ability to request your keys (though they won't without court order and security commitments)
Important: If you require key sovereignty—meaning your organization has exclusive control over who can access keys and what systems can use them—Azure Key Vault Premium may not meet that requirement. Azure Key Vault Managed HSM (covered in Part 2) is designed specifically for key sovereignty scenarios.
Encryption Support and Key Types
Azure Key Vault Premium supports three categories of HSM-protected keys:
| Key Type | Description | Encryption Support | Use Case |
|---|---|---|---|
| RSA-HSM | Asymmetric RSA keys (2048-bit, 3072-bit, 4096-bit) | Encrypt/Decrypt, Sign/Verify | Encryption at rest, TLS, signatures |
| EC-HSM | Elliptic Curve keys (P-256, P-384, P-521) | Sign/Verify | High-performance asymmetric operations |
| OCT-HSM | Symmetric (Octet) keys for AES encryption | Encrypt/Decrypt, Wrap/Unwrap | Direct data encryption, key wrapping |
For most compliance-driven use cases like encryption at rest in Azure services, you'll use RSA-HSM keys (typically 3072-bit or 4096-bit for maximum security). Azure Storage, Azure SQL Database, and other PaaS services can integrate with Key Vault Premium for customer-managed key encryption.
FIPS 140 Compliance Levels
The Federal Information Processing Standard (FIPS) 140 is the US government standard for cryptographic modules. Let's understand the tiers:
| Tier | Description | Key Vault Tier | Regulation Requirement |
|---|---|---|---|
| FIPS 140-2 Level 1 | Software-based cryptography, no tamper resistance | Key Vault Standard | Basic encryption requirements |
| FIPS 140-3 Level 3 | Hardware-based cryptography, identity-based control, tamper-evident physical mechanisms | Key Vault Premium | Industry-specific compliance (finance, healthcare, defense) |
FIPS 140-3 Level 3 requires physical tamper evidence and identity-based access controls. The Marvell LiquidSecurity HSM in Premium tier meets these requirements through:
- Tamper-resistant physical casing
- Role-based cryptographic operations
- Encrypted key storage
- Cryptographic self-testing
Access Control Model for Premium Tier
Azure Key Vault Premium uses a two-plane access model:
- Control plane: Manage the vault itself (create, delete, properties) - governed by Azure RBAC through Azure Resource Manager
- Data plane: Access encryption keys and perform cryptographic operations - governed by Key Vault Access Policies or Azure RBAC applied at the vault level
This separation means a subscription administrator cannot automatically access your keys without explicit data-plane permissions. It's a security best practice to grant control-plane and data-plane permissions to different individuals or roles.
Pricing Model: Transactional Billing
Here's where Premium differs significantly from Managed HSM:
Azure Key Vault Premium is billed on a transactional basis:
- Monthly cost per key (approximately $1-2 per key per month for HSM-protected)
- Per-operation charges for cryptographic operations
- You only pay for what you use
This makes Premium ideal for organizations that:
- Have a moderate number of keys
- Use keys intermittently or with variable load
- Want to avoid fixed costs while maintaining compliance
- Are starting their cloud security journey
If you anticipate high key operation volume or require fixed capacity planning, Azure Key Vault Managed HSM's fixed hourly rate might be more cost-effective.
Key Rotation and Lifecycle Management
Azure Key Vault Premium supports key versioning and automatic rotation. You can:
- Create multiple versions of the same key
- Set automatic rotation policies (rotate every 90 days, 1 year, etc.)
- Manually rotate keys on demand
- Archive old key versions securely
- Set expiration dates on keys
This is essential for maintaining compliance with standards like NIST SP 800-57, which recommends rotating encryption keys regularly.
Network Security and Access Patterns
Premium tier supports several network security configurations:
- Public network access enabled (default): Anyone from the internet can attempt access (but still requires Microsoft Entra authentication)
- Firewall rules: Allow access only from specific IP ranges or virtual networks
- Private Link: Access via Azure Private Link for network isolation
- Service Endpoints: VNet service endpoints to Azure Key Vault
For compliance-heavy industries, it's recommended to disable public access entirely and use Private Link for all interactions.
Bring Your Own Key (BYOK) Support
Premium tier supports Bring Your Own Key (BYOK), allowing you to:
- Generate keys in an on-premises HSM
- Securely import them into Azure Key Vault Premium
- Transfer keys without ever exposing them in plaintext
- Maintain key generation control while leveraging Azure's infrastructure
This is particularly valuable for organizations with regulatory requirements to generate keys internally before importing to Azure.
Integration with Azure Services
Azure Key Vault Premium integrates natively with:
- Azure Storage: Encryption at rest for blobs, files, tables, queues
- Azure SQL Database: Transparent Data Encryption (TDE) with customer-managed keys
- Azure Disk Encryption: VM disk encryption
- Azure App Service: Certificate management and secrets
- Microsoft Purview: Data encryption policies and compliance
- Microsoft 365: Customer Key for email and document encryption
When to Choose Azure Key Vault Premium
Select Premium tier if:
- ✓ You need FIPS 140-3 Level 3 compliance but don't require key sovereignty
- ✓ Compliance requirements include standards like HIPAA, PCI DSS, GDPR, SOX, FedRAMP
- ✓ Your organization is modestly sized with reasonable key counts
- ✓ You want Microsoft to manage HSM operations (patching, firmware updates, HA/DR)
- ✓ You're integrating with PaaS services that support customer-managed keys
- ✓ You need transactional pricing model for variable workloads
- ✓ You prefer a multitenant, cost-efficient solution
Do NOT choose Premium if:
- ✗ You require key sovereignty (exclusive control over key hierarchy)
- ✗ Your organization must generate and manage key material root of trust
- ✗ You have very high-volume cryptographic operations (Managed HSM fixed pricing better)
- ✗ You need complete security domain isolation at the hardware level
Next Steps and Part 2
If Azure Key Vault Premium meets your requirements, begin with the Azure Key Vault overview and explore authentication options.
However, if you require key sovereignty, single-tenant isolation, or complete root-of-trust control, Part 2 of this series covers Azure Key Vault Managed HSM—where your organization has full control over the cryptographic boundary and key material.
Next: Azure Key Vault Managed HSM: Single-Tenant Isolation and Key Sovereignty - Part 2
Resources
For deeper dives into specific topics mentioned:
- About Azure Key Vault
- Key Management in Azure
- How to Choose the Right Key Management Solution
- Authentication in Azure Key Vault
- Services Supporting Customer Managed Keys