What is Azure Managed HSM?
Azure Managed HSM is a fully managed, single-tenant Hardware Security Module service. Unlike Key Vault Premium, which shares HSM infrastructure across customers, Managed HSM provides dedicated HSM pools where only your organization has access to the cryptographic hardware.
The service is FIPS 140-2 Level 3 certified, meeting the highest security standards for key management. You control the HSM security domain, meaning Microsoft cannot access your keys even with physical access to the hardware.
Core Features
- Single-tenant HSM: Dedicated hardware not shared with other customers
- FIPS 140-2 Level 3: Highest certification for cryptographic modules
- Customer-controlled security domain: Full control over key material
- High availability: Built-in redundancy with multiple HSM instances
- Same APIs as Key Vault: Compatible with existing applications
Typical Use Cases
Managed HSM is designed for organizations with strict regulatory requirements or those that need exclusive control over their cryptographic infrastructure. Common scenarios include financial services compliance, healthcare data protection, government security requirements, and enterprise key management for encryption at rest.
Benefits
- No shared infrastructure with other tenants
- Physical tamper protection and key zeroization
- Bring Your Own Key with secure import
- Same developer experience as Key Vault
Frequently Asked Questions
When should I use Managed HSM instead of Key Vault Premium?
Use Managed HSM when regulations require single-tenant HSM infrastructure, when you need FIPS 140-2 Level 3 (vs. Level 2 for Key Vault), or when you must control the HSM security domain.
What is the security domain?
The security domain is an encrypted blob that contains all HSM cryptographic material. You generate and hold the keys to this domain, ensuring that even Microsoft cannot access your keys. This enables disaster recovery and HSM cloning under your control.
How does pricing compare to Key Vault?
Managed HSM has hourly pricing per HSM pool, significantly more expensive than Key Vault’s per-operation pricing. It is intended for high-security use cases that justify the cost.
Can I migrate from Key Vault to Managed HSM?
Yes. Keys can be exported from Key Vault Premium and imported into Managed HSM using secure key exchange protocols. The API compatibility means application changes are minimal.
Integration with innFactory
As a Microsoft Solutions Partner, innFactory helps you implement Azure Managed HSM: security domain design, key ceremony planning, and compliance documentation.
