惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

G
GRAHAM CLULEY
V
V2EX
WordPress大学
WordPress大学
博客园 - Franky
Last Week in AI
Last Week in AI
博客园 - 司徒正美
有赞技术团队
有赞技术团队
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 【当耐特】
V
Visual Studio Blog
C
CERT Recently Published Vulnerability Notes
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Jina AI
Jina AI
Attack and Defense Labs
Attack and Defense Labs
腾讯CDC
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
J
Java Code Geeks
人人都是产品经理
人人都是产品经理
阮一峰的网络日志
阮一峰的网络日志
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
A
Arctic Wolf
量子位
博客园 - 聂微东
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
雷峰网
雷峰网
博客园_首页
Google Online Security Blog
Google Online Security Blog
Spread Privacy
Spread Privacy
罗磊的独立博客
H
Hacker News: Front Page
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
TaoSecurity Blog
TaoSecurity Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 三生石上(FineUI控件)
宝玉的分享
宝玉的分享
IT之家
IT之家
The Cloudflare Blog
爱范儿
爱范儿
博客园 - 叶小钗
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell

Microsoft Azure Blog

Frontier models and production agents: Advancing Microsoft Foundry for the agentic era | Microsoft Azure Blog Built to bounce back: How Azure resiliency evolved | Microsoft Azure Blog Meet Brain: The AI system behind Azure reliability | Microsoft Azure Blog Proving application resilience on Azure with Chaos Studio | Microsoft Azure Blog How to design, build, and optimize cloud infrastructure for long-term efficiency Claude in Microsoft Foundry is now generally available | Microsoft Azure Blog The 2026 Agent Confidence Index: Where 300 builders see real momentum | The Microsoft Cloud Blog Accelerate modern Linux workloads with Azure Files | Microsoft Azure Blog Optimizing PostgreSQL on Azure directly in Visual Studio Code From insight to action: The next phase of agentic cloud operations | Microsoft Azure Blog Modernize your data with Azure Storage: Plan and migrate with confidence | Microsoft Azure Blog 3 things leaders need to know from Microsoft Build 2026 | Microsoft Azure Blog Claude Fable 5 available today in Microsoft Foundry: Powering the next era of autonomous agents AI alone won’t change your business. The system running it will. Announcing Microsoft Discovery general availability and Microsoft Discovery app preview A Developer’s Guide to Managing Models, Cost and Quality in Microsoft Foundry Foundry IQ: Build smarter agents faster with unified knowledge and serverless retrieval Microsoft Build 2026: Building agentic apps with Microsoft Fabric and Microsoft Databases New Azure Cobalt 200 VMs deliver 50% performance improvement, fully optimized for modern agentic AI workloads Claude Opus 4.8 is now available in Microsoft Foundry Powering multi-cluster workloads with seamless cross‑cluster networking for Azure Kubernetes Fleet Manager Azure NetApp Files for EDA workloads: From revolution to breakthrough at scale Azure IaaS: Deploy high-performance workloads with a system-level approach Azure Files Entra-Only identities: Advancing cloud-native identity and security From commit to cloud: Powering what’s next for PostgreSQL Advancing enterprise AI: New SAP on Azure announcements from SAP Sapphire 2026 Red Hat Summit 2026: Platform modernization and AI on Microsoft Azure Red Hat OpenShift Build AI apps with Azure Cosmos DB: Key trends from Cosmos Conf 2026 Scaling cloud and AI: Microsoft Azure’s commitment to Europe’s digital future Azure IaaS: Defense in depth built on secure-by-design principles Enforcing trust and transparency: Open-sourcing the Azure Integrated HSM Microsoft named a Leader in the IDC MarketScape: Worldwide API Management 2026 Vendor Assessment OpenAI’s GPT-5.5 in Microsoft Foundry: Frontier intelligence on an enterprise ready platform Microsoft Discovery: Advancing agentic R&D at scale Introducing Azure Accelerate for Databases: Modernize your data for AI with experts and investments Cloud Cost Optimization: Principles that still matter Optimize object storage costs automatically with smart tier—now generally available Microsoft named a Leader in The Forrester Wave™ for Sovereign Cloud Platforms How Drasi used GitHub Copilot to find documentation bugs Cloud Cost Optimization: How to maximize ROI from AI, manage costs, and unlock real business value Azure IaaS: Keep critical applications running with built-in resiliency at scale Building sovereign AI at the edge: Microsoft and Armada collaborate to deliver Azure Local on Galleon modular datacenters Navigating digital sovereignty at the frontier of transformation Microsoft named a Leader in 2026 Gartner® Magic Quadrant™ for Integration Platform as a Service AI for nuclear energy: Powering an intelligent, resilient future | The Microsoft Cloud Blog What’s new with Microsoft in open-source and Kubernetes at KubeCon + CloudNativeCon Europe 2026 Advancing agentic AI with Microsoft databases across a unified data estate FabCon and SQLCon 2026: Unifying databases and Fabric on a single data platform Microsoft at NVIDIA GTC: New solutions for Microsoft Foundry, Azure AI infrastructure and Physical AI From legacy to leadership: How PostgreSQL on Azure powers enterprise agility and innovation
External key management for Azure Managed HSM
Salim Chawro · 2026-07-08 · via Microsoft Azure Blog

Azure Key Vault Managed Hardware Security Module (HSM) provides strong sovereignty over your encryption keys. Keys are generated and stored in a single-tenant, FIPS 140-3 Level 3 HSM that only you control: Microsoft has no access to your key material, and you govern who can use each key. For most organizations, including those with stringent regulatory requirements, this level of control is sufficient.

Some organizations have a further requirement: the hardware that holds their key must reside physically outside Azure datacenters. External key management for Azure Key Vault Managed HSM is now in public preview to address that requirement, delivering on a commitment made a year ago.

How Managed HSM delivers sovereignty today

Before looking at external key management, it’s worth being precise about the sovereignty Managed HSM already provides. Managed HSM is a single-tenant service: each instance is a dedicated cluster of FIPS 140-3 Level 3 validated HSM partitions for each customer—built on Marvell LiquidSecurity adapters. Keys are generated inside that hardware and never leave it in plaintext, making the keys inaccessible to Microsoft operators.

Control rests with you, not Microsoft:

  • Customer-specific security domain. Each HSM cluster is cryptographically isolated by a security domain that you generate and own. Microsoft can’t decrypt your key material or recover your HSM cluster without it. You are in full control of the security domain as it’s protection and safeguarding is outside of Microsoft.
  • Multiperson control. The security domain is protected by a quorum of RSA key pairs that you hold offline. Recovery requires your quorum, so no single person—and no Microsoft operator—can act alone.
  • Local role-based access control (RBAC). A data-plane authorization model, independent of Azure RBAC, governs who can perform each cryptographic operation.
  • Key attestation. You can obtain cryptographic proof that a key was generated and is used within the FIPS 140-3 Level 3 hardware boundary.

Managed HSM is built on FIPS 140-3 Level 3 HSMs and confidential computing technology based on Intel SGX, so request handling, access control, and key material are isolated in hardware enclaves and HSMs that no Microsoft operator—even one with administrative or physical access to the host—can read. Managed HSM provides redundancy, isolation, and protection—giving organizations the sovereignty assurances they need without compromising on key security, operational overhead or availability.

What external key management adds

Managed HSM already provides full customer control over your keys, with enterprise-grade availability, security, and operational simplicity. External key management adds one capability: the option to keep your key material on an HSM that you own and operate, either on-premises or with a trusted third party, completely outside Microsoft infrastructure.

External key management is designed for scenarios where regulation or contractual obligations mandate the cryptographic keys must reside outside the cloud provider’s environment. These requirements are sometimes found in highly regulated sectors such as government, financial services, and critical infrastructure, and in jurisdictions with strict data-sovereignty rules. External key management ensures the root of trust and key material remain on hardware you own and operate, outside Microsoft infrastructure, and under your direct physical control.

However, this model should only be adopted deliberately and only when required. For most workloads, Managed HSM keys remain the recommended approach, delivering higher native availability, reduced operational complexity, and a security posture that meets or exceeds sovereignty requirements without introducing additional risk or overhead. External key management is about meeting specific regulatory constraints, not increasing baseline security. When those constraints do not apply, Managed HSM provides a stronger, more reliable, and more operationally efficient solution.

How it works

External key management extends Managed HSM through a dedicated API endpoint that connects directly to the HSM you control. It allows cryptographic operations in Azure to invoke external key material without changing how applications interact with the service. The external key never resides in or passes through Microsoft infrastructure; only your hardware uses it. Because you control that hardware, you can disconnect it at any time to halt all cryptographic operations.

  • Integration is transparent to applications. Applications continue to use Managed HSM and the Azure Key Vault API with the customer-managed key envelope encryption pattern unchanged. When an data access requires your external key to decrypt local data encryption keys, Managed HSM forwards it to your hardware and returns the result.
  • You choose the hardware and partner. Because the external key management API is an open specification, you decide how to implement it. Your hardware, your partner, or your implementation.
  • All connections are mutually authenticated and encrypted. Traffic between Azure and your hardware is secured with mutual TLS, ensuring a secure and trusted connection between Azure and your HSM.

HSM ecosystem

A growing ecosystem of HSM vendors support integration with the Managed HSM external key management API, as many providers are actively enabling compatibility for their platforms.

Microsoft doesn’t build or operate the connecting integration proxy itself. Instead, you benefit from an open model: you can use a vendor provided implementation, reply on a partner to operate it, or build your own.

Responsibilities and tradeoffs

External key management deliberately shifts a portion of operational responsibility to you. This is the direct consequence of extending the trust boundary beyond Azure: you gain control over the root of trust, and with it, ownership of the systems that enforce it.

  • Availability of your hardware. The Managed HSM SLA applies up to the point Managed HSM calls your external HSM proxy. Availability of your proxy and HSM is your responsibility. Any disruption on your side directly impacts cryptographic operations and Azure service data accessibility.
  • Scope of operations. External key management focuses on the operations used to protect data at rest. It does not expose the full set of key operations available with Managed HSM keys, reflecting a deliberate trade-off between control and functionality.
  • Hardware operations. Provisioning, securing, scaling, monitoring, and recovery of your proxy and HSM become your responsibility, whether operated directly or through a partner.
  • Error transparency. Failures originating on your side of the connection are surfaced in Managed HSM logs, but remain your responsibility to diagnose and resolve.

This is the core trade-off: more control means more responsibility.

Public preview scope

  • Availability: all Azure public regions at preview launch.
  • Access: gated. Your Microsoft account team enables external key management on your Managed HSM—contact them to request it.
  • Use case: protecting data at rest for Azure services that support customer-managed keys with Managed HSM.
  • Pricing: standard Managed HSM pricing, with no additional Microsoft surcharge. You cover the cost of your own hardware and any partner licensing.

Get started

External key management is the latest step in giving customers granular control over how and where their keys are protected. During public preview, your feedback will directly shape the feature on its path to general availability — including the operational guidance, vendor integrations, and scenarios we prioritize next.