Introduction
Encryption keys in Azure can be controlled by the platform or the customer.
Encryption keys known as platform-managed keys (PMKs) are created, kept, and controlled exclusively by Azure. PMKs are not used in customer interactions. For instance, PMKs are the default type of keys used for Azure Data Encryption-at-Rest.
On the other hand, customer-managed keys (CMK) are those that one or more customers can read, create, delete, update, and/or administer. CMKs are keys that are kept in a hardware security module (HSM) or customer-owned key vault. A customer imports (brings) keys from an external storage location into an Azure key management service in a scenario known as "Bring Your Own Key" (BYOK) (see the Azure Key Vault: Bring your own key specification).
The "key encryption key" is a specific customer-managed key (KEK) type. One or more encryption keys that are themselves encrypted are controlled by a KEK, or master encryption key.
Keys maintained by the customer may be kept on-site or, more frequently, in the cloud.
Services for managing keys in Azure
Azure offers several choices, including Azure Key Vault, Azure Managed HSM, Dedicated HSM, and Payments HSM, for storing and managing your keys in the cloud. The degree of FIPS compliance, administrative burden, and intended applications of these options vary.
Azure Key Vault (Standard Tier)
A multi-tenant cloud key management service with FIPS 140-2 Level 1 validation that may also be used to store secrets and certificates. The keys kept in the Azure Key Vault are protected by software and can be used for both custom apps and encryption-at-rest. Key Vault offers the most regional deployments, Azure Service connections, and a contemporary API.
Azure Key Vault (Premium Tier)
A multi-tenant HSM with FIPS 140-2 Level 2 validation that may be used to store keys in a secure hardware boundary. The underlying HSM is managed and run by Microsoft, and keys kept in Azure Key Vault Premium can be utilized for both custom apps and encryption-at-rest. Additionally, Key Vault Premium offers the most regional deployments, Azure Service connectors, and a contemporary API.
Azure Managed HSM
A single-tenant HSM option that is FIPS 140-2 Level 3 approved and allows users complete control over an HSM for encryption-at-rest, Keyless SSL, and custom applications. Customers are given access to a pool of three HSM partitions, which together serve as a single logical, highly available HSM appliance. This pool is fronted by a service that makes crypto capability available via the Key Vault API. Because the service runs within Azure's Confidential Compute Infrastructure, Microsoft manages the provisioning, patching, maintenance, and hardware failover of the HSMs, but does not have access to the keys themselves. Keyless TLS with F5 and Nginx is supported by Managed HSM, which relates to the Azure SQL, Azure Storage, and Azure Information Protection PaaS services.
Azure Dedicated HSM
A bare metal HSM product that is FIPS 140-2 Level 3 approved allows users to rent a general-purpose HSM device that is housed in Microsoft data centers. The HSM device is fully owned by the customer, who is also in charge of patching and updating the firmware as needed. Dedicated HSM is not connected with any Azure PaaS services, and Microsoft has no access to the device or the key material. With the use of PKCS#11, JCE/JCA, and KSP/CNG APIs, users can communicate with the HSM. This product is best suited for traditional lift-and-shift workloads, PKI, SSL Offloading, Keyless TLS, OpenSSL apps, Oracle TDE, and Azure SQL TDE IaaS. Supported integrations include F5, Nginx, Apache, Palo Alto, and more.
Azure Payments HSM
Customers can lease a payment HSM appliance in Microsoft data centers for payment activities, such as payment processing, issuing payment credentials, securing keys and authentication data, and protecting sensitive data using a FIPS 140-2 Level 3, PCI HSM v3 verified bare metal solution. The service complies with PCI DSS and PCI 3DS standards. For clients to have total administrative control and exclusive access to the HSM, Azure Payment HSM offers single-tenant HSMs. Microsoft has no access to client information once the HSM has been assigned to a customer. Like how client data is zeroized and deleted when the HSM is no longer needed to retain complete privacy and security.
Pricing
With a monthly per-key fee for premium hardware-backed keys, the Azure Key Vault Standard and Premium tiers are billed on a transactional basis. Managed HSM, Dedicated HSM, and Payments HSM do not charge on a transactional basis; instead, they are always-in-use devices that are billed at a fixed hourly cost. See the Key Vault pricing, Dedicated HSM pricing, and Payment HSM pricing for all pricing details.
Key Vault pricing
Keys and other secrets should be kept safe and under your control.
Azure customers may protect and manage cryptographic keys and other secrets used by cloud apps and services with the help of Azure Key Vault. Azure Key Vault offers two different kinds of containers:
- Vaults for managing and storing certificates, secrets, cryptographic keys, and account keys for storage.
- HSM-backed cryptographic keys can be stored and managed in a managed HSM pool.
For More Details, please click the below link,
https://azure.microsoft.com/en-us/pricing/details/key-vault/
Azure Dedicated HSM pricing
Control the hardware security components you utilize in the cloud.
Key management on a hardware security module that you manage in the cloud is possible with Azure Dedicated HSM. By employing a cloud-hosted HSM, you may comply with regulations like FIPS 140-2 Level 3 and contribute to the security of your keys. By running applications in your own hardware security module on Azure, you may significantly lower application latency and boost performance.
For More Details, please click the below link
https://azure.microsoft.com/en-us/pricing/details/azure-dedicated-hsm/
Azure Payment HSM pricing
Using a payment Hardware Security Module (HSM) service, you can make secure digital payments in the cloud.
Paying with Azure Customers can manage cryptographic key operations for urgent real-time payment transactions on Azure using the HSM. Customers who purchase Payment HSM service are billed according to variables including the quantity of HSM resources, performance speed, and timeframe. The customer will receive a monthly bill from the hourly-based billing system. Customers can change their performance level as needed to accommodate business requirements.
For More Details, please click the below link
https://azure.microsoft.com/en-us/pricing/details/payment-hsm/
Service Limits
Dedicated capacity is available from Managed HSM, Dedicated HSM, and Payments HSM. Throttling restrictions apply to Key Vault Standard and Premium, which are multi-tenant services. See Key Vault service limits for information on service caps.
Encryption-At-Rest
Customers can utilize their own keys in Azure Key Vault and Azure Key Managed HSM for encryption-at-rest of data stored in these services because these services include connectors with Azure Services and Microsoft 365 for Customer Managed Keys. Dedicated HSM and Payments HSM does not offer interfaces with Azure Services because they are Infrastructure-as-a-Service solutions. See Azure Data Encryption-at-Rest for a summary of encryption-at-rest with Azure Key Vault and Managed HSM.
APIs
Payments and Dedicated HSM The PKCS#11, JCE/JCA, and KSP/CNG APIs are supported by HSM but not by Azure Key Vault or Managed HSM. Managed HSM and Azure Key Vault leveraging the Azure Key Vault REST API and providing SDK support.
Conclusion
Platform-managed keys (PMKs), a type of encryption key, are only generated, stored, and managed by Azure. PMKs are not used in customer interactions. For Azure Data Encryption-at-Rest, PMKs are the standard type of keys utilized.