Azure Key Vault FIPS 140-2 Level 2 proof

Question

Hello Everyone,

I am looking to use Key Vault for a public trust environment and need to prove to an auditor that I am using the FIPS 140-2 Level 2 Azure Key Vault, the are not willing to accept the billing or product details and need to see a powershell output that proves the key vault is operating in FIPS mode and to the right level, commercial HSM product from Thales Luna and Entrust nShield offer this off of the shelf, how is this achieved with Azure KeyVaul Please?

Thanks in advance.

Michael

Answer 1

@Michael Hathaway
Thank you for your post!

I don't believe there are any Az.KeyVault PowerShell commands that display the FIPS 140-2 Level 2 output. However, I did find some documentation that mentions Azure Key Vault uses nCipher HSMs, which are Federal Information Processing Standards (FIPS) 140-2 Level 2 validated...

For more info:
Securely store secrets and keys
Key Vault roles

I've also reached out to our Azure Key Vault SMEs to see if there are any other way we can see this information and will update as soon as possible.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 2

@Michael Hathaway
Thank you for your time and patience!

KV team update: Compliance

As you can see from the screenshot and within our About keys documentation, Software-protected keys are FIPS 140-2 level 1 protected and Hardware-protected keys are FIPS 140-2 level 2.

Software protected keys:
RSA and EC

Hardware-protected keys:
RSA-HSM and EC-HSM (notice they have the '-HSM' identifier)

When creating your Keys within a Standard Vault, you'll notice that the only available options are RSA, EC. However, if you do this in a Premium KV, you'll see 2 more options - (hardware-protected keys) RSA-HSM and EC-HSM.

Within the portal you can click on the key and select it's version to see the key type of EC or RSA (software keys), or RSA-HSM/EC-HSM (hardware keys). You will see the same information being displayed on PS/CLI when you run the get key commands.

The HSMs used for our hardware-protected keys use these certificates and you can see the FIPS compliance level from there. HSM Model is Thales nShield Solo F2 6000+. The corresponding NIST certificates as follows - Certificate #2643 & Certificate #2121

As of right now, there's no specific command or REST API that specifically displays the FIPS 140-2 Level 2 output.

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Answer 3

@Michael Hathaway Key Vault service uses a mix of Thales nShield F2 6000+ and Marvell LiquidSecurity HSM cards in the backend for HSM functionality. They are FIPS 140-2 Level 2 or greater validated. The relevant NIST certificates are here (Cryptographic Module Validation Program | CSRC (nist.gov)) and here (Cryptographic Module Validation Program | CSRC (nist.gov)).

This certificate is for the current generation of hardware/firmware. Microsoft regularly upgrades the hardware and firmware behind Azure Key Vault. It may change in future.

It's important to mention that there is no direct access to the HSMs in Azure Key Vault Premium or Azure Key Vault Managed HSM today. We do document the HSMs we're using and their FIPS certificates as above-shared, however, providing some kind of attestation from the HSM of the HSM protecting keys in AKV Premium and MHSM is in something we are considering in the future but not at the moment.