What is Azure Key Vault Managed HSM, how to install and eventually remove (if needed)

Managed HSM Key auto-rotation is generally available

First the happy news! Key auto-rotation is also generally available for Managed HSM! Earlier this year it came to Key Vault already!

Read more here about the Key vault auto-rotation feature and how to enable it with system-managed identities.

But if you don’t want remove it completely, read forward, it will make your day, I promise.


Because the community is mostly made out of IT Pro’s who do consulting for customer. There could be a need to test Managed HSM for a client or just for fun (Yes, some people do it also for fun)

It’s easy to provision but hard to remove once it takes all the credits from your subscriptions. And the local currency piles up quickly, really quickly, even if you don’t use it.

What is Managed HSM?

Each HSM pool is an isolated single-tenant instance with its own security domain providing complete cryptographic isolation from all other HSM’s sharing the same hardware infrastructure.

Managed HSM uses Marvell LiquidSecurity adapters. So yes, you got it right. It is a Shared physical device and there is separate physical cards that hosts your content.

It has the following data-plane address.

Resource typeKey protection methodsData-plane endpoint base URL
Managed HSMsHSM-protectedhttps://{hsm-name}.managedhsm.azure.net

There are three different FIPS levels, and they are based on The Federal Information Security Management Act (FISMA), which was established as standards and guidelines for federal computer systems by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no existing industry standards or solutions that meet a certain regulatory requirement. FIPS were developed for use by the federal government, although many firms voluntarily adopt them. Managed HSM has the hightest FIPS Level of 3.

You will use it almost like normal Key vault, once you have it provisioned you will see Managed HSM in the service that you plan to use the Keys. You can generate the keys with AZ CLI or with the GUI like below.

Why to use it?

Regulations and compliance based on our industry is one of the biggest reasons. Content has to encrypted with your own keys, that you generate and hold. With HSM you have the root of trust but also the responsibility to backup your infrastructure and content.

See some excellent examples from Azure Architecture Center for HSM deployments.

Availability and pricing

Here you can find the availability

And pricing per B1 pool is 3,323€ per hour and for the keys.

HSM-protected keysPremium
RSA 2048-bit keys€1.039 per key per month1 + €0.032/10,000 transactions
Advanced key types1—First 250 keys€5.192 per key per month
From 251 – 1500 keys€2.596 per key per month
RSA 3072-bit, RSA 4096-bit, and Elliptic-Curve Cryptography (ECC) keysFrom 1501 – 4000 keys€0.935 per key per month
4001+ keys€0.416 per key per month
€0.156/10,000 transactions

If you are thinking about the Keys length, RSA-3072 is a safe choice to go with as it’s the highest than can be used in all of the Azure services. Don’t get me wrong, by best practices you should generate different keys for different purposes but not all Azure service support over 3072-bit keys.

How to provision?

You don’t find Managed HSM inside Azure Marketplace, it will be provisioned with Azure CLI

How to deprovision?

First when you deprovision the HSM, you have to have your subscription in Enabled state. Otherwise you cannot and you will get the following error when trying.

(ProviderError) Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.
Code: ProviderError
Message: Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.

So do these to get it working.


Microsoft documentation on HSM is excellent and accurate but the removal hasn’t been that well documented. So, the main goal for this article was to decrease Microsoft’s support tickets and also decrease the time your have your precious Subscriptions locked behind the consumption wall.

#Azure #Keyvault #Compliance #Identity #Communityrocks #Sharingiscaring

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *