Key vault key is not backed by HSM
ID |
key_vault_key_backed_hsm |
Severity |
low |
Vendor |
Azure |
Resource |
Key Vault |
Tags |
non-reachable |
Description
Key Vault Key should be backed by HSM.
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.
Key Vault service supports two types of containers: vaults and managed hardware security module(HSM) pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys.
For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.
See Azure Key Vault Managed HSM and HSM-protected keys to learn more about this topic.
| You should be aware of the cost implications of using an HSM and whether this fits in with your security posture. |
Examples
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2022-03-01",
"name": "bad",
"location": "[parameters('location')]",
"properties": {
"kty": "RSA" (1)
}
}
]
}| 1 | Key Vault Key is not backed by HSM. |
Mitigation / Fix
Buildtime
ARM
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2022-03-01",
"name": "good", (1)
"location": "[parameters('location')]",
"properties": {
"kty": "RSA-HSM"
}
}
]
}| 1 | Key Vault Key is backed by HSM. |