Hello @Ryan Wagner !
Welcome to Microsoft QnA!
I will try to address your question generic as it may be !
Azure Key Vault can potentially solve your problems by allowing remote signing without physical access to the hardware key and providing a scalable, secure solution. The signing process would likely be faster than using a YubiKey, especially in remote scenarios. The files do not need to be uploaded to Azure; they can be signed locally on your server using Azure Key Vault's signing key.
https://video2.skills-academy.com/en-us/azure/key-vault/managed-hsm/overview
Azure Key Vault allows code signing to be done remotely without requiring physical access to the hardware key (YubiKey). Developers can remotely access the Key Vault to perform code-signing operations, meaning the physical server doesn’t need to be in an accessible location.
- Performance: Azure Key Vault is designed for enterprise-grade scalability and performance, so it can handle multiple signing operations efficiently.
- Batch Signing: Azure Key Vault does not natively support bulk signing in one call, so each file would still require an individual signing operation. However, since these operations can be executed programmatically, the signing process can be parallelized to some extent to improve throughput.
- Comparison with YubiKey: While the exact time per file can vary, using Azure Key Vault should generally be faster than a YubiKey, especially when considering remote scenarios. The operations might still be slower than local signing with a PFX, but the trade-offs include enhanced security and the ability to sign from any machine with appropriate access.
- Centralized key management: Manage critical, high-value keys across your organization in one place. With granular per key permissions, control access to each key on the 'least privileged access' principle.
- Isolated access control: Managed HSM "local RBAC" access control model allows designated HSM cluster administrators to have complete control over the HSMs that even management group, subscription, or resource group administrators cannot override.
- Private endpoints: Use private endpoints to securely and privately connect to Managed HSM from your application running in a virtual network.
- FIPS 140-2 Level 3 validated HSMs: Protect your data and meet compliance requirements with FIPS (Federal Information Protection Standard) 140-2 Level 3 validated HSMs. Managed HSMs use Marvell LiquidSecurity HSM adapters.
- Monitor and audit: fully integrated with Azure monitor. Get complete logs of all activity via Azure Monitor. Use Azure Log Analytics for analytics and alerts.
- Data residency: Managed HSM doesn't store/process customer data outside the region the customer deploys the HSM instance in.
i suggest to contact your prefered Microsoft Specialist and deep dive into the advantages of Key Vault , & Key Vault Premium SKU !
--
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards