What is Azure Key Vault Managed HSM, how to install and eventually remove (if needed)

Managed HSM Key auto-rotation is generally available

First the happy news! Key auto-rotation is also generally available for Managed HSM! Earlier this year it came to Key Vault already!

Configure key auto-rotation in Azure Key Vault Managed HSM

Use this guide to learn how to configure automated the rotation of a key in Azure Key Vault Managed HSM

Read more here about the Key vault auto-rotation feature and how to enable it with system-managed identities.

How to use Azure Key Vault with managed identities and generating keys with auto-rotation

Data-planes First you have to understand the different URLs that you can use for different types of resources Resource type Key protection methods Data-plane endpoint base URL Vaults Software-protected and HSM-protected (with Premium SKU) https://{vault-name}.vault.azure.net Managed HSMs HSM-protected https://{hsm-name}.managedhsm.azure.net When you provision Key Vault Standard or Premium, you will use the same *.vault.azure.net address but

But if you don't want remove it completely, read forward, it will make your day, I promise.

Scenario

Because the community is mostly made out of IT Pro's who do consulting for customer. There could be a need to test Managed HSM for a client or just for fun (Yes, some people do it also for fun)

It's easy to provision but hard to remove once it takes all the credits from your subscriptions. And the local currency piles up quickly, really quickly, even if you don't use it.

What is Managed HSM?

Each HSM pool is an isolated single-tenant instance with its own security domain providing complete cryptographic isolation from all other HSM's sharing the same hardware infrastructure.

Managed HSM uses Marvell LiquidSecurity adapters. So yes, you got it right. It is a Shared physical device and there is separate physical cards that hosts your content.

It has the following data-plane address.

Resource type	Key protection methods	Data-plane endpoint base URL
Managed HSMs	HSM-protected	https://{hsm-name}.managedhsm.azure.net

There are three different FIPS levels, and they are based on The Federal Information Security Management Act (FISMA), which was established as standards and guidelines for federal computer systems by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no existing industry standards or solutions that meet a certain regulatory requirement. FIPS were developed for use by the federal government, although many firms voluntarily adopt them. Managed HSM has the hightest FIPS Level of 3.

You will use it almost like normal Key vault, once you have it provisioned you will see Managed HSM in the service that you plan to use the Keys. You can generate the keys with AZ CLI or with the GUI like below.

Why to use it?

Regulations and compliance based on our industry is one of the biggest reasons. Content has to encrypted with your own keys, that you generate and hold. With HSM you have the root of trust but also the responsibility to backup your infrastructure and content.

See some excellent examples from Azure Architecture Center for HSM deployments.

Browse Azure Architectures - Azure Architecture Center

Find architecture diagrams and technology descriptions for reference architectures, real world examples of cloud architectures, and solution ideas for common workloads on Azure.

Availability and pricing

Here you can find the availability

Azure Products by Region | Microsoft Azure

View Azure products and features available by region. Azure makes it easy to choose the datacenter and regions right for you and your customers.

And pricing per B1 pool is 3,323€ per hour and for the keys.

HSM-protected keys	Premium
RSA 2048-bit keys	€1.039 per key per month1 + €0.032/10,000 transactions
Advanced key types1—	First 250 keys	€5.192 per key per month
	From 251 – 1500 keys	€2.596 per key per month
RSA 3072-bit, RSA 4096-bit, and Elliptic-Curve Cryptography (ECC) keys	From 1501 – 4000 keys	€0.935 per key per month
	4001+ keys	€0.416 per key per month
	+ €0.156/10,000 transactions

If you are thinking about the Keys length, RSA-3072 is a safe choice to go with as it's the highest than can be used in all of the Azure services. Don't get me wrong, by best practices you should generate different keys for different purposes but not all Azure service support over 3072-bit keys.

How to provision?

You don't find Managed HSM inside Azure Marketplace, it will be provisioned with Azure CLI

# Once connected to Azure CLI, login AZ login # Provision you HSM to your location az group create --name "HSMResourceGroup" --location northeurope # Getting the logged in user to $OID, add it as admin once provioning HSM oid=$(az ad signed-in-user show --query id -o tsv) az keyvault create --hsm-name "YouHSMName" --resource-group "HSMResourceGroup" --location "northeurope" --administrators $oid --retention-days 7 Note! Managed HSM instances are considered always-in-use. If you choose to enable purge protection using the --enable-purge-protection flag, you will be billed for the entirety of the retention period. # Generate three RSA-2048 certificates openssl req -newkey rsa:2048 -nodes -keyout cert_0.key -x509 -days 365 -out cert_0.cer openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer openssl req -newkey rsa:2048 -nodes -keyout cert_2.key -x509 -days 365 -out cert_2.cer # Download security domain (boundary) and Activate your HSM az keyvault security-domain download --hsm-name YouHSMName --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file YourHSMName-SD.json

How to deprovision?

First when you deprovision the HSM, you have to have your subscription in Enabled state. Otherwise you cannot and you will get the following error when trying.

(ProviderError) Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'. Code: ProviderError Message: Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.

So do these to get it working.

# Select Subscription and show state (Disable, enabled) az account show --subscription SUBSCRIPTIONID --query state # List deleted HSM's from Subscription az keyvault list-deleted --subscription SUBSCRIPTIONID --resource-type hsm # Delete HSM from your Subscription az keyvault delete --hsm-name HSMNAME --location westus3 --subscription SUBSCRIPTIONID Note! Deleting the resource group puts the Managed HSM into a soft-deleted state. The Managed HSM will continue to be billed until it is purged. # Purge deleted HSM's from Subscription az keyvault purge --hsm-name HSMNAME --location westus3 --subscription SUBSCRIPTIONID # Finally remove your HSM Resource group az group delete --name YourResourceGroup

Closure

Microsoft documentation on HSM is excellent and accurate but the removal hasn't been that well documented. So, the main goal for this article was to decrease Microsoft's support tickets and also decrease the time your have your precious Subscriptions locked behind the consumption wall.

#Azure #Keyvault #Compliance #Identity #Communityrocks #Sharingiscaring

Azure Managed HSM documentation

Learn how to use u to create and maintain keys that access and encrypt your cloud resources, apps, and solutions. Tutorials, API references, and more.