Encrypting Data-At-Rest with Customer Managed Keys in M365

As I mentioned in my previous posts. I like to keep my view as holistic as possible. Mixing a little bit of Azure infrastructure and Security side with a little hint of M365 Compliance and Entra Identity ingredients.

So that in mind I want to layout the Azure Key Vault method to use Data Encryption Policies

There is two different methods to store your Encryption keys in Key Vault Premium and Managed HSM. See from Learn an comparison article which one you should choose.

Note! Azure Key Vault Premium is billed on a transactional basis, with an additional monthly per-key charge for premium hardware-backed keys. Managed HSM, Dedicated HSM, and Payments HSM don’t charge on a transactional basis; instead they are always-in-use devices that are billed at a fixed hourly rate

What is Key vault?

Azure Key Vault acts as a central repository for safeguarding sensitive information critical to your applications and cloud resources. It offers robust solutions for three key areas:

  • Secret Management: Securely store and control access to confidential data like tokens, passwords, certificates, API keys, and more. Key Vault helps you restrict access to authorized users and applications.
  • Key Management: Simplify the process of creating and managing the encryption keys that protect your data. Azure Key Vault provides a centralized location for key control.
  • Certificate Management: Effortlessly provision, manage, and deploy public and private TLS/SSL certificates used for Azure services and your internal resources. Key Vault ensures the security of your certificates throughout their lifecycle.

Azure Key Vaults may be either software-protected or, with the Azure Key Vault Premium tier, hardware-protected by hardware security modules (HSMs).

We are now concentrating on Keys as this article is on Data Encryption and two different models, Premium and Managed HSM.

What can I do with Key vault Premium?

It has the following data-plane address.

Resource typeKey protection methodsData-plane endpoint base URL
VaultsHSM-protected (with Premium SKU)https://{vault-name}.vault.azure.net

And see more form my previous blogs what you can do with it.

What about Managed HSM?

Each HSM pool is an isolated single-tenant instance with its own security domain providing complete cryptographic isolation from all other HSM’s sharing the same hardware infrastructure.

Managed HSM uses Marvell LiquidSecurity adapters. So yes, you got it right. It is a Shared physical device and there is separate physical cards that hosts your content.

It has the following data-plane address.

Resource typeKey protection methodsData-plane endpoint base URL
Managed HSMsHSM-protectedhttps://{hsm-name}.managedhsm.azure.net

There are three different FIPS levels, and they are based on The Federal Information Security Management Act (FISMA), which was established as standards and guidelines for federal computer systems by the National Institute of Standards and Technology (NIST) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no existing industry standards or solutions that meet a certain regulatory requirement. FIPS were developed for use by the federal government, although many firms voluntarily adopt them. Managed HSM has the highest FIPS Level of 3.

You will use it almost like normal Key vault, once you have it provisioned you will see Managed HSM in the service that you plan to use the Keys. You can generate the keys with AZ CLI or with the GUI like below.

And when you have Managed HSM RSA key in place

Why to use it?

Regulations and compliance based on our industry is one of the biggest reasons. Content has to encrypted with your own keys, that you generate and hold. With HSM you have the root of trust but also the responsibility to backup your infrastructure and content.

See some excellent examples from Azure Architecture Center for HSM deployments.

How to provision?

You can find Managed HSM inside Azure portal from here https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2FmanagedHSMs

Note! It will cost you money from the moment of provisioning, so there is an separate box to check!

And you can also provision it with Azure CLI

How to remove?

You tried it but you want remove it, well that won’t super easy but here you go and I found at least one reason why.

When you deprovision the HSM, you have to have your subscription in Enabled state. Otherwise you cannot and you will get the following error when trying.

(ProviderError) Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.
Code: ProviderError
Message: Resource provider 'Microsoft.KeyVault' failed to return collection response for type 'deletedManagedHSMs'.

So do these to get it working.

But if you have your Subscription active, it’s super easy.

Data Encryption Policies (DEP)

Now when we know and maybe even have Key Vaults in-place, we can see what could be done with those keys in M365 services. I will illustrate first to set the stage

And these steps can be achieved with:

  1. Setup Key Vault
  2. Setting up Customer Manage Key to Key vault https://learn.microsoft.cm/en-us/purview/customer-key-set-up
  3. Assigning the Data Encryption Policy to the whole tenant or to a specific service https://learn.microsoft.com/en-us/purview/customer-key-manage

How easy is that, well it isn’t but it could be mandatory based on regulations you follow or just for a fun learning experience!

Author: Harri Jaakkonen