Table of Contents
Managed HSM Key auto-rotation is generally available
First the happy news! Key auto-rotation is also generally available for Managed HSM! Earlier this year it came to Key Vault already!
Read more here about the Key vault auto-rotation feature and how to enable it with system-managed identities.
But if you don’t want remove it completely, read forward, it will make your day, I promise.
Because the community is mostly made out of IT Pro’s who do consulting for customer. There could be a need to test Managed HSM for a client or just for fun (Yes, some people do it also for fun)
It’s easy to provision but hard to remove once it takes all the credits from your subscriptions. And the local currency piles up quickly, really quickly, even if you don’t use it.
What is Managed HSM?
Each HSM pool is an isolated single-tenant instance with its own security domain providing complete cryptographic isolation from all other HSM’s sharing the same hardware infrastructure.
Managed HSM uses Marvell LiquidSecurity adapters. So yes, you got it right. It is a Shared physical device and there is separate physical cards that hosts your content.
It has the following data-plane address.
|Resource type||Key protection methods||Data-plane endpoint base URL|
There are three different FIPS levels, and they are based on The Federal Information Security Management Act (FISMA), which was established as standards and guidelines for federal computer systems by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no existing industry standards or solutions that meet a certain regulatory requirement. FIPS were developed for use by the federal government, although many firms voluntarily adopt them. Managed HSM has the hightest FIPS Level of 3.
You will use it almost like normal Key vault, once you have it provisioned you will see Managed HSM in the service that you plan to use the Keys. You can generate the keys with AZ CLI or with the GUI like below.
Why to use it?
Regulations and compliance based on our industry is one of the biggest reasons. Content has to encrypted with your own keys, that you generate and hold. With HSM you have the root of trust but also the responsibility to backup your infrastructure and content.
See some excellent examples from Azure Architecture Center for HSM deployments.
Availability and pricing
Here you can find the availability
And pricing per B1 pool is 3,323€ per hour and for the keys.
|RSA 2048-bit keys||€1.039 per key per month1 + €0.032/10,000 transactions|
|Advanced key types1—||First 250 keys||€5.192 per key per month|
|From 251 – 1500 keys||€2.596 per key per month|
|RSA 3072-bit, RSA 4096-bit, and Elliptic-Curve Cryptography (ECC) keys||From 1501 – 4000 keys||€0.935 per key per month|
|4001+ keys||€0.416 per key per month|
|+ €0.156/10,000 transactions|
If you are thinking about the Keys length, RSA-3072 is a safe choice to go with as it’s the highest than can be used in all of the Azure services. Don’t get me wrong, by best practices you should generate different keys for different purposes but not all Azure service support over 3072-bit keys.
How to provision?
You don’t find Managed HSM inside Azure Marketplace, it will be provisioned with Azure CLI
# Once connected to Azure CLI, login
# Provision you HSM to your location
az group create --name "HSMResourceGroup" --location northeurope
# Getting the logged in user to $OID, add it as admin once provioning HSM
oid=$(az ad signed-in-user show --query id -o tsv)
az keyvault create --hsm-name "YouHSMName" --resource-group "HSMResourceGroup" --location "northeurope" --administrators $oid --retention-days 7
Note! Managed HSM instances are considered always-in-use.
If you choose to enable purge protection using the --enable-purge-protection flag,
you will be billed for the entirety of the retention period.
# Generate three RSA-2048 certificates
openssl req -newkey rsa:2048 -nodes -keyout cert_0.key -x509 -days 365 -out cert_0.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_1.key -x509 -days 365 -out cert_1.cer
openssl req -newkey rsa:2048 -nodes -keyout cert_2.key -x509 -days 365 -out cert_2.cer
# Download security domain (boundary) and Activate your HSM
az keyvault security-domain download --hsm-name YouHSMName --sd-wrapping-keys ./certs/cert_0.cer ./certs/cert_1.cer ./certs/cert_2.cer --sd-quorum 2 --security-domain-file YourHSMName-SD.json
How to deprovision?
First when you deprovision the HSM, you have to have your subscription in Enabled state. Otherwise you cannot and you will get the following error when trying.
(ProviderError) Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.
Message: Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.
So do these to get it working.
# Select Subscription and show state (Disable, enabled)
az account show --subscription SUBSCRIPTIONID --query state
# List deleted HSM's from Subscription
az keyvault list-deleted --subscription SUBSCRIPTIONID --resource-type hsm
# Delete HSM from your Subscription
az keyvault delete --hsm-name HSMNAME --location westus3 --subscription SUBSCRIPTIONID
Note! Deleting the resource group puts the Managed HSM into a soft-deleted state.
The Managed HSM will continue to be billed until it is purged.
# Purge deleted HSM's from Subscription
az keyvault purge --hsm-name HSMNAME --location westus3 --subscription SUBSCRIPTIONID
# Finally remove your HSM Resource group
az group delete --name YourResourceGroup
Microsoft documentation on HSM is excellent and accurate but the removal hasn’t been that well documented. So, the main goal for this article was to decrease Microsoft’s support tickets and also decrease the time your have your precious Subscriptions locked behind the consumption wall.
#Azure #Keyvault #Compliance #Identity #Communityrocks #Sharingiscaring