question

ShivaDarshanLeverageAzure-3177 avatar image
0 Votes"
ShivaDarshanLeverageAzure-3177 asked PaulGrusd-4101 commented

How to Import HSM-protected keys to Azure Key Vault

Hi Team,

We are trying to Import HSM-protected keys to Azure Key Vault..
We could generate a KEK and download the KEK public key and these are the supported HSMs https://docs.microsoft.com/en-us/azure/key-vault/keys/hsm-protected-keys-byok#supported-hsms. But as mentioned there I am not able to get any tool to generate HSM key on premise.. Can anyone guide us on how to proceed ?


azure-key-vault
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered PaulGrusd-4101 commented

@ShivaDarshanLeverageAzure-3177 Thanks for reaching out.

The BYOK tools are developed and maintained by the manufactures themselves and has to be downloaded from their websites. We have linked all the supported providers with their official links in the document that you have provided.

Taking Thales as an example, their BYOK tool can be found at : https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=3892db6ddb8fc45005c9143b0b961987&sysparm_article=KB0021016

Similarly you will have to find the tool from your vendor's website. If you are having any issues finding it, let us know the vendor and we can help you further.



If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi

We ran into an issue because our Thales HSM is not part of the Lumina family. We are using a “Thales ProtectServer PCIe HSM 2” or a "Thales PayShield". (we have two HSM's)

Is it possible to update the BYOK Thales software to work with the other Thales HSM's?

We did a test run. The Thales HSM encrypts the target key (under the Azure RSA-HSM KEK) with the methods RSA_PKCS or RSA_X_509 and produces a txt file or a binary file. Is it possible to import these files into the Azure HSM? If not is it possible to convert the files into the BYOK format?

Thanks,
Paul

0 Votes 0 ·