Azure's Managed Hardware Security Module (HSM) now supports external key management in public preview, letting organizations maintain encryption keys on-premises or with trusted third parties outside Microsoft's infrastructure. This move targets customers with stringent regulatory requirements for physical key sovereignty beyond Azure datacenters.

  • External keys reside on customer-owned HSMs outside Azure for maximum sovereignty
  • Integrates via dedicated API with transparent cryptographic operation in Azure
  • Operational responsibility partly shifts to customers managing external HSM hardware

Infrastructure signal

Azure Managed HSM enhances its security architecture by supporting external key management in public preview. This capability allows encryption keys to remain on HSM hardware physically controlled and operated by the customer or a trusted third party, completely outside Microsoft datacenters. It extends the root of trust beyond Azure’s single-tenant, FIPS 140-3 Level 3 HSM clusters to external hardware platforms, satisfying stringent regulatory and contractual sovereignty mandates.

The new model introduces a dedicated API endpoint in Managed HSM that securely proxies cryptographic operations to the external HSM, ensuring that the key material never enters or transits Microsoft infrastructure. This design maintains cryptographic integrity and control while enabling Azure services to seamlessly invoke external keys. Because Azure does not operate or build the integration proxy, customers can choose vendor solutions, partner offerings, or develop their own implementations for connectivity.

Developer impact

For developers, external key management means cryptographic workflows in Azure remain unchanged despite the physical relocation of key material. Applications continue to use Managed HSM APIs normally, while backend requests transparently route to customer-managed HSMs holding the keys. This abstraction allows seamless integration without refactoring cryptographic code or changing API usage, preserving developer productivity and operational consistency.

However, responsibility shifts for operational management and reliability of the external HSM hardware and integration proxies away from Microsoft to the customer or selected partners. Developers and DevOps teams must plan for deployment, monitoring, and fault tolerance of this external infrastructure. This added complexity demands closer collaboration between security, infrastructure, and development teams to maintain application availability and compliance.

What teams should watch

Security and compliance teams evaluating Azure key management must carefully assess whether external key management aligns with their regulatory and contractual obligations versus standard Managed HSM usage. External keys provide maximal physical control, suited for government, financial services, and critical infrastructure sectors with explicit mandates for on-premises key custody or third-party control outside public clouds.

Infrastructure and cloud platform teams should prepare for increased operational overhead managing external HSM hardware and integration proxies, including establishing monitoring, incident response processes, and service-level agreements with external providers or vendors. Observability tools may need extension to cover these external components absent from native Azure monitoring solutions.

Developers and architects should verify compatibility of external key management with existing application cryptographic requirements and validate vendor or partner solutions for integration proxies. Early testing in controlled environments will help avoid deployment issues and performance bottlenecks introduced by the added external communication layer in cryptographic operations.

Source assisted: This briefing began from a discovered source item from Microsoft Azure Blog. Open the original source.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings