Skip to content

Key vault key is not backed by HSM

Description

For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.
You should be aware of the cost implications of using an HSM and whether this fits in with your security posture.

Fix - Buildtime

Terraform

  • Resource: azurerm_key_vault_key
  • Argument: key_type - (Required) Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.

go azurerm_key_vault_key.generated.tf resource "azurerm_key_vault_key" "generated" { ... + key_type = "RSA-HSM" ... }

Select an option with "-HSM" to pass this check.