You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/key-management.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,7 +28,7 @@ Customer-managed keys can be stored on-premises or, more commonly, in a cloud ke
28
28
29
29
## Azure key management services
30
30
31
-
Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, Azure Managed HSM, Azure Cloud HSM, and Azure Payment HSM. These options differ in terms of their FIPS compliance level, management overhead, and intended applications.
31
+
Azure offers several options for storing and managing your keys in the cloud, including Azure Key Vault, Azure Key Vault Managed HSM, Azure Cloud HSM, and Azure Payment HSM. These options differ in terms of their FIPS compliance level, management overhead, and intended applications.
32
32
33
33
For a comprehensive guide to choosing the right key management solution for your specific needs, see [How to Choose the Right Key Management Solution](key-management-choose.md).
34
34
@@ -38,15 +38,15 @@ A FIPS 140-2 Level 1 validated multitenant cloud key management service that can
38
38
39
39
### Azure Key Vault (Premium Tier)
40
40
41
-
A FIPS 140-3 Level 3 validated, PCI compliant, multitenant HSM offering that can be used to store asymmetric keys, secrets, and certificates. Keys are stored in a secure hardware boundary*. Microsoft manages and operates the underlying HSM, and keys stored in Azure Key Vault Premium can be used for encryption-at-rest and custom applications. Azure Key Vault Premium also provides a modern API and a breadth of regional deployments and integrations with Azure Services. If you are an AKV Premium customer looking for higher security compliance, key sovereignty, single tenancy, and/or higher crypto operations per second, you may want to consider Managed HSM instead. For more information, see [About Azure Key Vault](/azure/key-vault/general/overview).
41
+
A FIPS 140-2 Level 2 validated, PCI compliant, multitenant HSM offering that can be used to store asymmetric keys, secrets, and certificates. Keys are stored in a secure hardware boundary*. Microsoft manages and operates the underlying HSM, and keys stored in Azure Key Vault Premium can be used for encryption-at-rest and custom applications. Azure Key Vault Premium also provides a modern API and a breadth of regional deployments and integrations with Azure Services. If you are an Azure Key Vault Premium customer looking for higher security compliance, key sovereignty, single tenancy, and/or higher crypto operations per second, you may want to consider Azure Key Vault Managed HSM instead. For more information, see [About Azure Key Vault](/azure/key-vault/general/overview).
42
42
43
-
### Azure Managed HSM
43
+
### Azure Key Vault Managed HSM
44
44
45
-
A FIPS 140-3 Level 3 validated, PCI compliant, single-tenant HSM offering that gives customers full control of an HSM for encryption-at-rest, Keyless SSL/TLS offload, and custom applications. Azure Managed HSM is the only key management solution offering confidential keys. Customers receive a pool of three HSM partitions—together acting as one logical, highly available HSM appliance—fronted by a service that exposes crypto functionality through the Key Vault API. Microsoft handles the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn't have access to the keys themselves, because the service executes within Azure's Confidential Compute Infrastructure. Azure Managed HSM is integrated with the Azure SQL, Azure Storage, and Azure Information Protection PaaS services and offers support for Keyless TLS with F5 and Nginx. For more information, see [What is Azure Key Vault Managed HSM?](/azure/key-vault/managed-hsm/overview).
45
+
A FIPS 140-2 Level 3 validated, single-tenant HSM offering that gives customers full control of an HSM for encryption-at-rest, Keyless SSL/TLS offload, and custom applications. Azure Key Vault Managed HSM is the only key management solution offering confidential keys. Customers receive a pool of three HSM partitions—together acting as one logical, highly available HSM appliance—fronted by a service that exposes crypto functionality through the Key Vault API. Microsoft handles the provisioning, patching, maintenance, and hardware failover of the HSMs, but doesn't have access to the keys themselves, because the service executes within Azure's Confidential Compute Infrastructure. Azure Key Vault Managed HSM is integrated with the Azure SQL, Azure Storage, and Azure Information Protection PaaS services and offers support for Keyless TLS with F5 and Nginx. For more information, see [What is Azure Key Vault Managed HSM?](/azure/key-vault/managed-hsm/overview).
46
46
47
-
### Azure Cloud HSM
47
+
### Azure Dedicated HSM
48
48
49
-
A FIPS 140-3 Level 3 validated single-tenant HSM offering that gives customers full control of an HSM for PKCS#11, offload SSL/TLS processing, certificate authority private key protection, transparent data encryption, including document and code signing, and custom applications. Customer has full administrative control of their HSM cluster. While customers own deployment and initialization of their HSM, Microsoft handles the service provisioning and hosting of the HSM. Azure Cloud HSM supports all existing Azure Dedicated HSM use cases, including using lift-and-shift workloads, PKI, SSL Offloading and Keyless TLS, OpenSSL applications, Oracle TDE, and Azure SQL TDE IaaS. Azure Cloud HSM is not integrated with any Azure PaaS offerings. For more information, see [What is Azure Cloud HSM?](/azure/cloud-hsm/overview).
49
+
A FIPS 140-2 Level 3 validated single-tenant HSM offering that gives customers full control of an HSM for PKCS#11, offload SSL/TLS processing, certificate authority private key protection, transparent data encryption, including document and code signing, and custom applications. Customer has full administrative control of their HSM cluster. While customers own deployment and initialization of their HSM, Microsoft handles the service provisioning and hosting of the HSM. Azure Dedicated HSM supports existing use cases, including using lift-and-shift workloads, PKI, SSL Offloading and Keyless TLS, OpenSSL applications, Oracle TDE, and Azure SQL TDE IaaS. Azure Dedicated HSM is not integrated with any Azure PaaS offerings. For more information, see [What is Azure Dedicated HSM?](/azure/dedicated-hsm/overview).
50
50
51
51
### Azure Payment HSM
52
52
@@ -61,21 +61,21 @@ The Azure Key Vault Standard and Premium tiers are billed on a transactional bas
61
61
62
62
## Service Limits
63
63
64
-
Managed HSM, Cloud HSM, and Payments HSM offer dedicated capacity. Key Vault Standard and Premium are multitenant offerings and have throttling limits. For service limits, see [Key Vault service limits](/azure/key-vault/general/service-limits).
64
+
Azure Key Vault Managed HSM, Azure Dedicated HSM, and Azure Payment HSM offer dedicated capacity. Azure Key Vault Standard and Premium are multitenant offerings and have throttling limits. For service limits, see [Key Vault service limits](/azure/key-vault/general/service-limits).
65
65
66
66
## Encryption-At-Rest
67
67
68
-
Azure Key Vault and Azure Key Vault Managed HSM have integrations with Azure Services and Microsoft 365 for Customer Managed Keys, meaning customers may use their own keys in Azure Key Vault and Azure Managed HSM for encryption-at-rest of data stored in these services. Cloud HSM and Payments HSM are Infrastructure-as-Service offerings and do not offer integrations with Azure Services. For an overview of encryption-at-rest with Azure Key Vault and Managed HSM, see [Azure Data Encryption-at-Rest](encryption-atrest.md).
68
+
Azure Key Vault and Azure Key Vault Managed HSM have integrations with Azure Services and Microsoft 365 for Customer Managed Keys, meaning customers may use their own keys in Azure Key Vault and Azure Key Vault Managed HSM for encryption-at-rest of data stored in these services. Azure Dedicated HSM and Azure Payment HSM are Infrastructure-as-Service offerings and do not offer integrations with Azure Services. For an overview of encryption-at-rest with Azure Key Vault and Azure Key Vault Managed HSM, see [Azure Data Encryption-at-Rest](encryption-atrest.md).
69
69
70
70
## APIs
71
71
72
-
Cloud HSM and Payments HSM support the PKCS#11, JCE/JCA, and KSP/CNG APIs, but Azure Key Vault and Managed HSM do not. Azure Key Vault and Managed HSM use the Azure Key Vault REST API and offer SDK support. For more information on the Azure Key Vault API, see [Azure Key Vault REST API Reference](/rest/api/keyvault/).
72
+
Azure Dedicated HSM and Azure Payment HSM support the PKCS#11, JCE/JCA, and KSP/CNG APIs, but Azure Key Vault and Azure Key Vault Managed HSM do not. Azure Key Vault and Azure Key Vault Managed HSM use the Azure Key Vault REST API and offer SDK support. For more information on the Azure Key Vault API, see [Azure Key Vault REST API Reference](/rest/api/keyvault/).
73
73
74
74
## What's next
75
75
76
76
-[How to Choose the Right Key Management Solution](key-management-choose.md)
0 commit comments