I need to save my pfx certificates in an HSM

Ismael Ruvalcaba 1 Reputation point
2020-06-29T17:33:23.487+00:00

I was investigating that Azure Key Vault uses HSM.
Add the following line to import my pfx certificate
await keyVaultClient.ImportCertificateAsync(azureKeyVaultsUri, namePFX, base64EncodedCertificate, Password);
my question is already imported with this already saved in an HSM?
10904-screen-shot-2020-06-29-at-123046-pm.png

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,283 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,621 Reputation points Microsoft Employee
    2020-06-30T21:19:03.103+00:00

    @Ismael Ruvalcaba
    Your secrets and keys are safeguarded by Azure, using industry-standard algorithms, key lengths, and hardware security modules (HSMs). The Azure Key Vault may be either software- or hardware-HSM protected and uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.

    You can securely transfer a key from your on-premises HSM outside Azure, into the HSM backing Azure Key Vault. The process of importing a key generated outside Key Vault is generally referred to as Bring Your Own Key (BYOK).

    Additional Links:
    About Azure Key Vault certificates
    Supported HSMs
    Azure Dedicated HSM

  2. Ismael Ruvalcaba 1 Reputation point
    2020-07-06T16:50:29.417+00:00

    I already do the saving "Certificate Management" I don't know if this is saved by software or by HSM.
    The other problem I have is that they ask me to comply FIPS 140-2 Level 3.

    Thank you very much for answering James

    0 comments
  3. JamesTran-MSFT 36,621 Reputation points Microsoft Employee
    2020-07-06T23:29:18.603+00:00

    @IsmaelRuvalcaba-8837
    Based off our documentation, the Azure Key Vault may be either software or hardware-HSM protected. From my understanding, If you're generating certificates, keys, etc., within an on-prem HSM, you have the option of bringing it into Azure (BYOK) without having it never leave the HSM boundary (hardware-HSM protected). If you're solely generating new certificates, secrets, or keys through the the Azure Portal, this would be software HSM protected.

    If you have a requirement to comply with FIPS 140-2 Level 3, we do have an Azure Dedicated HSM feature.

    Hopefully this helps!

    Additional Link:
    FIPS 140-2

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.