Understanding Azure Key Management Services

Azure Key Management Services (AKMS) is a cloud-based key management system that securely stores, manages, and controls encryption keys. This service is designed to help organizations meet their encryption key management needs.

AKMS provides a centralized platform for managing encryption keys, making it easier to control access and ensure compliance with regulatory requirements. This is particularly important for organizations that need to store sensitive data in the cloud.

One of the key benefits of AKMS is its ability to integrate with other Azure services, such as Azure Storage and Azure SQL Database. This allows organizations to easily manage their encryption keys across multiple services.

Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, Azure Managed HSM, Azure Dedicated HSM, and Azure Payment HSM.

These options differ in terms of their FIPS compliance level, management overhead, and intended applications. For a comprehensive guide to choosing the right key management solution for you, see How to Choose the Right Key Management Solution.

Azure Key Vault is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services.

Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, Azure Managed HSM, Azure Dedicated HSM, and Azure Payment HSM.

These options differ in terms of their FIPS compliance level, management overhead, and intended applications. For example, Azure Key Vault is a Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services.

You can store data at rest in Azure Blob storage and Azure file shares, and encrypt it using Azure Storage Service Encryption, which uses 256-bit AES encryption. This process is completely transparent to users.

Permissions to access keys can be assigned to services or to users through Microsoft Entra accounts, providing a secure way to manage key access.

TLS is a powerful encryption protocol that provides strong authentication, message privacy, and integrity. It's used to protect data in transit between Azure services and client systems.

TLS connections in Azure are negotiated between Microsoft datacenters and client systems, ensuring a secure connection. This negotiation provides a unique key for each connection, making it difficult for unauthorized access.

Perfect Forward Secrecy (PFS) is a key feature of TLS in Azure, protecting connections with unique keys. This adds an extra layer of security, making it even harder for someone to intercept and access data.

Connections in Azure also support RSA-based 2,048-bit key lengths, ECC 256-bit key lengths, SHA-384 message authentication, and AES-256 data encryption. This combination provides robust protection for sensitive data.

Azure Payment HSM is a secure solution for payment activities, including payment processing and issuing payment credentials. It's a FIPS 140-2 Level 3, PCI HSM v3 verified bare metal solution.

To ensure complete privacy and security, the Azure Payment HSM offers single-tenant HSMs, giving clients total administrative control and exclusive access to the HSM. Microsoft has no access to client information once the HSM has been assigned to a customer.

The service complies with PCI DSS and PCI 3DS standards, making it a reliable choice for payment activities. Clients can lease a payment HSM appliance in Microsoft data centers for their payment needs.

The Azure Payment HSM is billed according to variables, including the quantity of HSM resources, performance speed, and timeframe. Customers will receive a monthly bill from the hourly-based billing system.

Customers can change their performance level as needed to accommodate business requirements, making the Azure Payment HSM a flexible solution for payment activities.

Azure Payment HSM Pricing is a service that enables secure digital payments in the cloud. It allows customers to manage cryptographic key operations for real-time payment transactions on Azure.

You can pay for this service based on variables such as the number of HSM resources, performance speed, and timeframe. This means you'll receive a monthly bill based on the hourly usage of your Payment HSM service.

Customers can change their performance level as needed to accommodate business requirements. This flexibility is useful for businesses with fluctuating payment volumes.

The billing system for Payment HSM is hourly-based, which means you'll be charged for the actual time your service is in use. This can help you better manage your costs and avoid unnecessary expenses.

Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked.

Azure Key Vault simplifies the process of meeting security requirements by removing the need for in-house knowledge of Hardware Security Modules. You can scale up on short notice to meet your organization's usage spikes.

To store application secrets securely, you can create an Azure Key Vault per application and restrict the secrets stored in a Key Vault to a specific application and team of developers. This segregates application secrets and limits access to authorized personnel.

You can store security information in Azure Key Vault without having to make it part of the code. For example, an application may need to connect to a database, and instead of storing the connection string in the app's code, you can store it securely in Key Vault.

Here's a summary of the benefits of using Azure Key Vault for application secret management:

Key management in Azure is a breeze with Key Vault, which is the Microsoft-recommended solution for managing and controlling access to encryption keys used by cloud services.

Key Vault relieves organizations of the need to configure, patch, and maintain hardware security modules (HSMs) and key management software, giving you more time to focus on other important tasks.

You maintain control with Key Vault, and Microsoft never sees your keys, ensuring your encryption keys are secure and private.

Key management is a crucial aspect of secure data storage, and Azure Key Vault offers a range of features to meet your needs.

You can choose from two main billing models: transactional and fixed hourly rates. The Standard and Premium tiers are billed on a transactional basis, with an additional monthly per-key charge for premium hardware-backed keys.

Azure Key Vault Standard and Premium tiers are billed on a transactional basis, with a monthly per-key fee for premium hardware-backed keys.

Managed HSM, Dedicated HSM, and Payments HSM don't charge on a transactional basis; instead, they are always-in-use devices that are billed at a fixed hourly rate.

These devices are ideal for applications that require low latency and high performance, such as real-time payment transactions.

You can manage cryptographic key operations for urgent real-time payment transactions on Azure using the Payment HSM service.

The Payment HSM service is billed according to variables, including the quantity of HSM resources, performance speed, and timeframe.

You'll receive a monthly bill from the hourly-based billing system, and can change your performance level as needed to accommodate business requirements.

Azure Dedicated HSM allows you to control the hardware security components you utilize in the cloud, enabling you to comply with regulations like FIPS 140-2 Level 3 and contribute to the security of your keys.

APIs are supported differently across various key management solutions.

Dedicated HSM and Payments HSM support the PKCS#11, JCE/JCA, and KSP/CNG APIs.

Azure Key Vault and Managed HSM, however, do not support these APIs directly.

Instead, they leverage the Azure Key Vault REST API and offer SDK support.

For more information on the Azure Key Vault API, see the Azure Key Vault REST API Reference.

Creating Microsoft Material is a straightforward process that can be done directly using the native Microsoft Azure application. To start, select Microsoft Azure (Native) and click Next to proceed.

The Configure Source Key screen is displayed, where you'll enter a user-friendly alias as the Azure Key Name. This helps uniquely identify a key, making it easier to manage later on.

You'll also need to select the desired Vault from the drop-down list, as well as the Key Type. If you're working with RSA or RSA HSM key types, you'll have the option to select the Size from 2048, 3072, or 4096.

For Elliptic Curve or Elliptic Curve HSM key types, you'll need to select the Curve from the options: P-256, P-384, P-521, or SECP256K1.

You can also set the key activation and expiration dates, if desired, and enable the Key check box to add an extra layer of security.

Key Attributes are also customizable, with different options available depending on the Key Type. For RSA or RSA HSM, the supported attributes include things like Key Usage and Extended Key Usage. For Elliptic Curve or Elliptic Curve HSM, the supported attributes include things like Key Type and Key Usage.

If you want to add additional metadata to your key, you can enter Tags. A tag is a label assigned to the key that consists of a user-defined key and a value. To add a tag, simply click the "Add" button and enter your desired key and value.

Here are the steps to create a Microsoft material:

Cell-Level or Column-Level encryption allows for more granular encryption capability than TDE, which encrypts data in pages.

With Azure SQL Database, you can apply symmetric encryption to a column of data by using Transact-SQL, giving you the flexibility to encrypt specific columns or even cells of data with different encryption keys.

This approach is also known as Cell-Level Encryption or Column-Level Encryption (CLE), and it has built-in functions that can be used to encrypt data by using either symmetric or asymmetric keys.

CLE can also use the public key of a certificate or a passphrase using 3DES, providing a range of options for securing sensitive data.

Azure Managed HSM is a single-tenant option that's FIPS 140-2 Level 3 approved, allowing users complete control over an HSM for encryption-at-rest and custom applications.

It provides a pool of three HSM partitions, which work together as a single logical, highly available HSM appliance. This pool is fronted by a service that makes crypto capability available via the Key Vault API.

The service runs within Azure's Confidential Compute Infrastructure, so Microsoft manages the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn't have access to the keys themselves.

Keyless TLS with F5 and Nginx is supported by Managed HSM, which relates to the Azure SQL, Azure Storage, and Azure Information Protection PaaS services.

You can use Managed HSM for encryption-at-rest, Keyless SSL, and custom applications, giving you complete control over the HSM.

Microsoft never sees your keys, and applications don’t have direct access to them when you use Managed HSM.