Use Microsoft Azure Key Vault on your terms

Control the critical keys securing your sensitive data in the cloud

As a cloud service, you can run Azure Key Vault on-demand without incremental IT infrastructure, and ensure that your data is protected across organizational boundaries. Azure Key Vault employs cryptography to deliver controlled access to and persistent protection for your data. Security depends on the level of protection given to the critical cryptographic key. Exposure of the cryptographic key can compromise your sensitive data. To ensure security, you can choose to protect your key within a robust boundary using nCipher nShield hardware security modules (HSMs). nShield HSMs generate, safeguard, and manage the key independent of the software environment.

Enhanced security – nCipher BYOK for Azure Key Vault

nCipher has an unparalleled 40-year history in delivering data protection solutions to security-conscious businesses, governments, and technology vendors, including critical key management solutions for some of the most demanding security organizations in the world. As experts in the field, nCipher products and services provide high assurance security so customers can make effective use of cryptographic protection.

nCipher facilitates how you retain control of your keys. While keys can be generated in the cloud, for added assurance when using Azure Key Vault, keys are generated in your own nShield HSM (physically on-premises or as a service). Keys generated in this manner are securely shared with other nShield HSMs in the Azure cloud, but never leave the nShield HSM security boundary. Microsoft has used nCipher FIPS 140-2 Level 2 validated nShield HSMs to protect keys since the inception of Azure Key Vault.

What are HSMs?

HSMs are high-performance cryptographic devices designed to generate, safeguard and manage sensitive key material. nCipher nShield HSMs maintain your keys secure and usable only within the protected boundary. This enables you to maintain custody of your keys and visibility over their use.

Security Boundary

Why use nCipher nShield HSMs with Azure Key Vault?

nCipher nShield HSMs ensure that your keys are always under your control and never visible to Microsoft. The capability mitigates the perception that sensitive data maintained in the cloud is vulnerable.

Security properties of Azure Key Vault

Azure Key Vault offers you multiple levels of control. The Azure Key Vault keys become your tenant keys, and you can manage desired level of control versus cost and effort.

  • By default, Azure Key Vault generates and manages the lifecycle of your tenant keys
  • BYOK lets you generate tenant keys on your own physical or as a service nCipher nShield HSM
  • Near-real time usage logs enhance security, allowing you to see exactly how and when your keys are being used

How it works

nCipher nShield HSMs create a locked cage protecting your tenant keys. You can cache the tenant keys securely from your on-site nCipher nShield HSM to an nCipher nShield HSM in Microsoft's Azure data center – without leaving the FIPS compliant security boundary created by the HSMs. The tenant keys are protected while in Microsoft's data centers – secured within a carefully designed cryptographic boundary that employs robust access control mechanisms to allow you to enforce separation of duties and ensure the keys are only used for their authorized purpose.

Download Security World White Paper


BYOK for Azure Key Vault allows you to match the security properties of an on-premises environment. It enables you to generate your tenant keys on your on-premises or cloud-based nShield HSM per your IT policies, and transfer your tenant keys securely to the Azure cloud nCipher nShield HSM hosted by Microsoft.


Hosted HSM validation

To ensure that the hosted HSM is an authorized nCipher nShield HSM, the Azure Key Vault with nCipher BYOK provides you a mechanism to validate its certificate. The capability, ONLY available with nCipher BYOK, enables you to verify that the key encryption key used to secure the upload of your tenant key was indeed generated in a nCipher nShield HSM.

Learn More