Skip to main content

Quickstart for Azure External Key Management

This page provide an overview of how to integrate the Azure Managed HSM external key management with a Primus HSM or CloudHSM. For full details, please see the linked sections of the installation guide.

  1. Prerequisites:
    • Prepare an Azure subscription for use with external key management, ensure sufficient permissions.
    • Create or use an existing Managed HSM and enable external key management for it.
    • Obtain a Securosys HSM and configure it or use a preconfigured CloudHSM Partition.
    • Prepare a host on which to deploy the Securosys EKM Proxy.
    • Obtain a server key and server certificate for your proxy host (for use with mTLS). Note down the CA certificate of the CA that issued the certificate.
  2. Install the EKM Proxy:
    • Configure the EKM Proxy and deploy it.
  3. Integrate with Azure:
    • Obtain the client certificate and common name of the Managed HSM pool.
    • Update the EKM Proxy with the Managed HSM client certificate and common name.
    • Establish a connection between your Managed HSM and EKM Proxy.
    • Create an RSA or AES key on your Securosys HSM.
    • Create an external key in Azure Managed HSM (a reference to the key in the HSM).
    • Enable customer-managed keys in other Azure services using the external key.

When Azure services perform crypto operations against an external key, Azure Managed HSM forwards the request to the Securosys EKM Proxy, which in turn forwards it to the HSM. The operation is performed inside your on-premise Primus HSM or your CloudHSM.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?