How to generate and transfer HSM-protected keys for Azure Key Vault

Introduction

For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. The HSMs are FIPS 140-2 Level 2 validated. Azure Key Vault uses Thales nShield family of HSMs to protect your keys.

Use the information in this topic to help you plan for, generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.

This functionality is not available for Azure China.

Note

For more information about Azure Key Vault, see What is Azure Key Vault?

For a getting started tutorial, which includes creating a key vault for HSM-protected keys, see Get started with Azure Key Vault.

More information about generating and transferring an HSM-protected key over the Internet:

  • You generate the key from an offline workstation, which reduces the attack surface.
  • The key is encrypted with a Key Exchange Key (KEK), which stays encrypted until it is transferred to the Azure Key Vault HSMs. Only the encrypted version of your key leaves the original workstation.
  • The toolset sets properties on your tenant key that binds your key to the Azure Key Vault security world. So after the Azure Key Vault HSMs receive and decrypt your key, only these HSMs can use it. Your key cannot be exported. This binding is enforced by the Thales HSMs.
  • The Key Exchange Key (KEK) that is used to encrypt your key is generated inside the Azure Key Vault HSMs and is not exportable. The HSMs enforce that there can be no clear version of the KEK outside the HSMs. In addition, the toolset includes attestation from Thales that the KEK is not exportable and was generated inside a genuine HSM that was manufactured by Thales.
  • The toolset includes attestation from Thales that the Azure Key Vault security world was also generated on a genuine HSM manufactured by Thales. This attestation proves to you that Microsoft is using genuine hardware.
  • Microsoft uses separate KEKs and separate Security Worlds in each geographical region. This separation ensures that your key can be used only in data centers in the region in which you encrypted it. For example, a key from a European customer cannot be used in data centers in North American or Asia.

More information about Thales HSMs and Microsoft services

Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial services, high technology, manufacturing, government, and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies. Their solutions are also used by 22 NATO countries, and secure more than 80 per cent of worldwide payment transactions.

Microsoft has collaborated with Thales to enhance the state of art for HSMs. These enhancements enable you to get the typical benefits of hosted services without relinquishing control over your keys. Specifically, these enhancements let Microsoft manage the HSMs so that you do not have to. As a cloud service, Azure Key Vault scales up at short notice to meet your organization’s usage spikes. At the same time, your key is protected inside Microsoft’s HSMs: You retain control over the key lifecycle because you generate the key and transfer it to Microsoft’s HSMs.

Implementing bring your own key (BYOK) for Azure Key Vault

Use the following information and procedures if you will generate your own HSM-protected key and then transfer it to Azure Key Vault—the bring your own key (BYOK) scenario.

Prerequisites for BYOK

See the following table for a list of prerequisites for bring your own key (BYOK) for Azure Key Vault.

Requirement More information
A subscription to Azure To create an Azure Key Vault, you need an Azure subscription: Sign up for free trial
The Azure Key Vault Premium service tier to support HSM-protected keys For more information about the service tiers and capabilities for Azure Key Vault, see the Azure Key Vault Pricing website.
Thales HSM, smartcards, and support software You must have access to a Thales Hardware Security Module and basic operational knowledge of Thales HSMs. See Thales Hardware Security Module for the list of compatible models, or to purchase an HSM if you do not have one.
The following hardware and software:
  1. An offline x64 workstation with a minimum Windows operation system of Windows 7 and Thales nShield software that is at least version 11.50.

    If this workstation runs Windows 7, you must install Microsoft .NET Framework 4.5.
  2. A workstation that is connected to the Internet and has a minimum Windows operating system of Windows 7 and Azure PowerShell minimum version 1.1.0 installed.
  3. A USB drive or other portable storage device that has at least 16 MB free space.
For security reasons, we recommend that the first workstation is not connected to a network. However, this recommendation is not programmatically enforced.

Note that in the instructions that follow, this workstation is referred to as the disconnected workstation.


In addition, if your tenant key is for a production network, we recommend that you use a second, separate workstation to download the toolset and upload the tenant key. But for testing purposes, you can use the same workstation as the first one.

Note that in the instructions that follow, this second workstation is referred to as the Internet-connected workstation.


Generate and transfer your key to Azure Key Vault HSM

You will use the following five steps to generate and transfer your key to an Azure Key Vault HSM:

Step 1: Prepare your Internet-connected workstation

For this first step, do the following procedures on your workstation that is connected to the Internet.

Step 1.1: Install Azure PowerShell

From the Internet-connected workstation, download and install the Azure PowerShell module that includes the cmdlets to manage Azure Key Vault. This requires a minimum version of 0.8.13.

For installation instructions, see How to install and configure Azure PowerShell.

Step 1.2: Get your Azure subscription ID

Start an Azure PowerShell session and sign in to your Azure account by using the following command:

    Add-AzureAccount

In the pop-up browser window, enter your Azure account user name and password. Then, use the Get-AzureSubscription command:

    Get-AzureSubscription

From the output, locate the ID for the subscription you will use for Azure Key Vault. You will need this subscription ID later.

Do not close the Azure PowerShell window.

Step 1.3: Download the BYOK toolset for Azure Key Vault

Go to the Microsoft Download Center and download the Azure Key Vault BYOK toolset for your geographic region or instance of Azure. Use the following information to identify the package name to download and its corresponding SHA-256 package hash:


United States:

KeyVault-BYOK-Tools-UnitedStates.zip

760EE9BD6445C87CFF0E8B032577118704B3BEAA045AA55977C10EF68BC67E2B


Europe:

KeyVault-BYOK-Tools-Europe.zip

7A64B94225F59B847C5C27C2200BAD7D16C901E1687767EDBBB8B09BB285011D


Asia:

KeyVault-BYOK-Tools-AsiaPacific.zip

813DC94B23079CF7A5CEA71D5B444E86B292F463C53EE47AED25D4F7CD58E7D8


Latin America:

KeyVault-BYOK-Tools-LatinAmerica.zip

3F29069E3500F95C0E156F4B8914E1DC60C20FB64B464306A299EA5145D755C0


Japan:

KeyVault-BYOK-Tools-Japan.zip

453FFEA2F8F410720B68B8BAC4CF79135A7F37F4E491FF840BE9E69E88A98C90


Korea:

KeyVault-BYOK-Tools-Korea.zip

C17B7E93224DA80F5668E09CF7DAE2F92527E8226179995BBE2E43DA4323595A


Australia:

KeyVault-BYOK-Tools-Australia.zip

4AD893396E86F2D2A71682876A6A8EA59E3C7895BEAD2F7E7C8516682582C34B


Azure Government:

KeyVault-BYOK-Tools-USGovCloud.zip

3AAE1A96B9D15B899B8126CFC0380719EB54FDF2EA94489B43FAD21ECC745F64


US Government DOD:

KeyVault-BYOK-Tools-USGovernmentDoD.zip

A61E78297B0732DF2682FDE63D7B572CE4D23B0BC27CC48AFF620BD060BB9E9D


Canada:

KeyVault-BYOK-Tools-Canada.zip

30B87A0BA8208F6B7241C30C794FED1C370D7445ACA179685816E4E156CD2AF7


Germany:

KeyVault-BYOK-Tools-Germany.zip

5E3E4AA54715E4F93C3C145035B18275B7C6815A06D7ABB212E7FADBF2929261


India:

KeyVault-BYOK-Tools-India.zip

136733A6C6A71D75571BB80819B3D55A9B83CCAD5C996C686BC5682A3F369BF7


United Kingdom:

KeyVault-BYOK-Tools-UnitedKingdom.zip

ED331A6F1D34A402317D3F27D5396046AF0E5C2D44B5D10CCCE293472942D268


To validate the integrity of your downloaded BYOK toolset, from your Azure PowerShell session, use the Get-FileHash cmdlet.

Get-FileHash KeyVault-BYOK-Tools-*.zip

The toolset includes the following:

  • A Key Exchange Key (KEK) package that has a name beginning with BYOK-KEK-pkg-.
  • A Security World package that has a name beginning with BYOK-SecurityWorld-pkg-.
  • A python script named verifykeypackage.py.
  • A command-line executable file named KeyTransferRemote.exe and associated DLLs.
  • A Visual C++ Redistributable Package, named vcredist_x64.exe.

Copy the package to a USB drive or other portable storage.

Step 2: Prepare your disconnected workstation

For this second step, do the following procedures on the workstation that is not connected to a network (either the Internet or your internal network).

Step 2.1: Prepare the disconnected workstation with Thales HSM

Install the nCipher (Thales) support software on a Windows computer, and then attach a Thales HSM to that computer.

Ensure that the Thales tools are in your path (%nfast_home%\bin). For example, type the following:

    set PATH=%PATH%;"%nfast_home%\bin"

For more information, see the user guide included with the Thales HSM.

Step 2.2: Install the BYOK toolset on the disconnected workstation

Copy the BYOK toolset package from the USB drive or other portable storage, and then do the following:

  1. Extract the files from the downloaded package into any folder.
  2. From that folder, run vcredist_x64.exe.
  3. Follow the instructions to the install the Visual C++ runtime components for Visual Studio 2013.

Step 3: Generate your key

For this third step, do the following procedures on the disconnected workstation. To complete this step your HSM must be in initialization mode.

Step 3.1: Change the HSM mode to 'I'

If you are using Thales nShield Edge, to change the mode: 1. Use the Mode button to highlight the required mode. 2. Within a few seconds, press and hold the Clear button for a couple of seconds. If the mode changes, the new mode’s LED stops flashing and remains lit. The Status LED might flash irregularly for a few seconds and then flashes regularly when the device is ready. Otherwise, the device remains in the current mode, with the appropriate mode LED lit.

Step 3.2: Create a security world

Start a command prompt and run the Thales new-world program.

new-world.exe --initialize --cipher-suite=DLf1024s160mRijndael --module=1 --acs-quorum=2/3

This program creates a Security World file at %NFAST_KMDATA%\local\world, which corresponds to the C:\ProgramData\nCipher\Key Management Data\local folder. You can use different values for the quorum but in our example, you’re prompted to enter three blank cards and pins for each one. Then, any two cards give full access to the security world. These cards become the Administrator Card Set for the new security world.

Then do the following:

  • Back up the world file. Secure and protect the world file, the Administrator Cards, and their pins, and make sure that no single person has access to more than one card.

Step 3.3: Change the HSM mode to 'O'

If you are using Thales nShield Edge, to change the mode: 1. Use the Mode button to highlight the required mode. 2. Within a few seconds, press and hold the Clear button for a couple of seconds. If the mode changes, the new mode’s LED stops flashing and remains lit. The Status LED might flash irregularly for a few seconds and then flashes regularly when the device is ready. Otherwise, the device remains in the current mode, with the appropriate mode LED lit.

Step 3.4: Validate the downloaded package

This step is optional but recommended so that you can validate the following:

  • The Key Exchange Key that is included in the toolset has been generated from a genuine Thales HSM.
  • The hash of the Security World that is included in the toolset has been generated in a genuine Thales HSM.
  • The Key Exchange Key is non-exportable.
Note

To validate the downloaded package, the HSM must be connected, powered on, and must have a security world on it (such as the one you’ve just created).

To validate the downloaded package:

  1. Run the verifykeypackage.py script by typing one of the following, depending on your geographic region or instance of Azure:

    • For North America:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-NA-1 -w BYOK-SecurityWorld-pkg-NA-1
      
    • For Europe:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-EU-1 -w BYOK-SecurityWorld-pkg-EU-1
      
    • For Asia:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-AP-1 -w BYOK-SecurityWorld-pkg-AP-1
      
    • For Latin America:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-LATAM-1 -w BYOK-SecurityWorld-pkg-LATAM-1
      
    • For Japan:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-JPN-1 -w BYOK-SecurityWorld-pkg-JPN-1
      
    • For Korea:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-KOREA-1 -w BYOK-SecurityWorld-pkg-KOREA-1
      
    • For Australia:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-AUS-1 -w BYOK-SecurityWorld-pkg-AUS-1
      
    • For Azure Government, which uses the US government instance of Azure:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-USGOV-1 -w BYOK-SecurityWorld-pkg-USGOV-1
      
    • For US Government DOD:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-USDOD-1 -w BYOK-SecurityWorld-pkg-USDOD-1
      
    • For Canada:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-CANADA-1 -w BYOK-SecurityWorld-pkg-CANADA-1
      
    • For Germany:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-GERMANY-1 -w BYOK-SecurityWorld-pkg-GERMANY-1
      
    • For India:

      "%nfast_home%\python\bin\python" verifykeypackage.py -k BYOK-KEK-pkg-INDIA-1 -w BYOK-SecurityWorld-pkg-INDIA-1
      
      Tip

      The Thales software includes python at %NFAST_HOME%\python\bin

  2. Confirm that you see the following, which indicates successful validation: Result: SUCCESS

This script validates the signer chain up to the Thales root key. The hash of this root key is embedded in the script and its value should be 59178a47 de508c3f 291277ee 184f46c4 f1d9c639. You can also confirm this value separately by visiting the Thales website.

You’re now ready to create a new key.

Step 3.5: Create a new key

Generate a key by using the Thales generatekey program.

Run the following command to generate the key:

generatekey --generate simple type=RSA size=2048 protect=module ident=contosokey plainname=contosokey nvram=no pubexp=

When you run this command, use these instructions:

  • The parameter protect must be set to the value module, as shown. This creates a module-protected key. The BYOK toolset does not support OCS-protected keys.
  • Replace the value of contosokey for the ident and plainname with any string value. To minimize administrative overheads and reduce the risk of errors, we recommend that you use the same value for both. The ident value must contain only numbers, dashes, and lower case letters.
  • The pubexp is left blank (default) in this example, but you can specify specific values. For more information, see the Thales documentation.

This command creates a Tokenized Key file in your %NFAST_KMDATA%\local folder with a name starting with key_simple_, followed by the ident that was specified in the command. For example: key_simple_contosokey. This file contains an encrypted key.

Back up this Tokenized Key File in a safe location.

Important

When you later transfer your key to Azure Key Vault, Microsoft cannot export this key back to you so it becomes extremely important that you back up your key and security world safely. Contact Thales for guidance and best practices for backing up your key.

You are now ready to transfer your key to Azure Key Vault.

Step 4: Prepare your key for transfer

For this fourth step, do the following procedures on the disconnected workstation.

Step 4.1: Create a copy of your key with reduced permissions

Open a new command prompt and change the current directory to the location where you unzipped the BYOK zip file. To reduce the permissions on your key, from a command prompt, run one of the following, depending on your geographic region or instance of Azure:

  • For North America:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-NA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-NA-1
    
  • For Europe:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-EU-1
    
  • For Asia:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AP-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AP-1
    
  • For Latin America:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-LATAM-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-LATAM-1
    
  • For Japan:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-JPN-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-JPN-1
    
  • For Korea:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-KOREA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-KOREA-1
    
  • For Australia:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AUS-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AUS-1
    
  • For Azure Government, which uses the US government instance of Azure:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USGOV-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USGOV-1
    
  • For US Government DOD:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USDOD-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USDOD-1
    
  • For Canada:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-CANADA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-CANADA-1
    
  • For Germany:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-GERMANY-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-GERMANY-1
    
  • For India:

      KeyTransferRemote.exe -ModifyAcls -KeyAppName simple -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-INDIA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-INDIA-1
    

When you run this command, replace contosokey with the same value you specified in Step 3.5: Create a new key from the Generate your key step.

You are asked to plug in your security world admin cards.

When the command completes, you see Result: SUCCESS and the copy of your key with reduced permissions are in the file named key_xferacId_.

You may inspects the ACLS using following commands using the Thales utilities:

  • aclprint.py:

      "%nfast_home%\bin\preload.exe" -m 1 -A xferacld -K contosokey "%nfast_home%\python\bin\python" "%nfast_home%\python\examples\aclprint.py"
    
  • kmfile-dump.exe:

      "%nfast_home%\bin\kmfile-dump.exe" "%NFAST_KMDATA%\local\key_xferacld_contosokey"
    

    When you run these commands, replace contosokey with the same value you specified in Step 3.5: Create a new key from the Generate your key step.

Step 4.2: Encrypt your key by using Microsoft’s Key Exchange Key

Run one of the following commands, depending on your geographic region or instance of Azure:

  • For North America:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-NA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-NA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Europe:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-EU-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-EU-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Asia:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AP-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AP-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Latin America:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-LATAM-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-LATAM-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Japan:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-JPN-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-JPN-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Korea:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-KOREA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-KOREA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Australia:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-AUS-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-AUS-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Azure Government, which uses the US government instance of Azure:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USGOV-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USGOV-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For US Government DOD:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-USDOD-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-USDOD-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Canada:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-CANADA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-CANADA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For Germany:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-GERMANY-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-GERMANY-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    
  • For India:

      KeyTransferRemote.exe -Package -KeyIdentifier contosokey -ExchangeKeyPackage BYOK-KEK-pkg-INDIA-1 -NewSecurityWorldPackage BYOK-SecurityWorld-pkg-INDIA-1 -SubscriptionId SubscriptionID -KeyFriendlyName ContosoFirstHSMkey
    

When you run this command, use these instructions:

  • Replace contosokey with the identifier that you used to generate the key in Step 3.5: Create a new key from the Generate your key step.
  • Replace SubscriptionID with the ID of the Azure subscription that contains your key vault. You retrieved this value previously, in Step 1.2: Get your Azure subscription ID from the Prepare your Internet-connected workstation step.
  • Replace ContosoFirstHSMKey with a label that is used for your output file name.

When this completes successfully, it displays Result: SUCCESS and there is a new file in the current folder that has the following name: KeyTransferPackage-ContosoFirstHSMkey.byok

Step 4.3: Copy your key transfer package to the Internet-connected workstation

Use a USB drive or other portable storage to copy the output file from the previous step (KeyTransferPackage-ContosoFirstHSMkey.byok) to your Internet-connected workstation.

Step 5: Transfer your key to Azure Key Vault

For this final step, on the Internet-connected workstation, use the Add-AzureKeyVaultKey cmdlet to upload the key transfer package that you copied from the disconnected workstation to the Azure Key Vault HSM:

Add-AzureKeyVaultKey -VaultName 'ContosoKeyVaultHSM' -Name 'ContosoFirstHSMkey' -KeyFilePath 'c:\KeyTransferPackage-ContosoFirstHSMkey.byok' -Destination 'HSM'

If the upload is successful, you see displayed the properties of the key that you just added.

Next steps

You can now use this HSM-protected key in your key vault. For more information, see the If you want to use a hardware security module (HSM) section in the Getting started with Azure Key Vault tutorial.