You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/key-vault/keys/about-keys-details.md
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -123,7 +123,14 @@ In addition to the key material, the following attributes may be specified. In a
123
123
There are more read-only attributes that are included in any response that includes key attributes:
124
124
125
125
-*created*: IntDate, optional. The *created* attribute indicates when this version of the key was created. The value is null for keys created prior to the addition of this attribute. Its value MUST be a number containing an IntDate value.
126
-
-*updated*: IntDate, optional. The *updated* attribute indicates when this version of the key was updated. The value is null for keys that were last updated prior to the addition of this attribute. Its value MUST be a number containing an IntDate value.
126
+
-*updated*: IntDate, optional. The *updated* attribute indicates when this version of the key was updated. The value is null for keys that were last updated prior to the addition of this attribute. Its value MUST be a number containing an IntDate value.
127
+
-*hsmPlatform*: string, optional. The underlying HSM Platform that is protecting a key.
128
+
- A hsmPlatform value of 2 means the key is protected by our latest FIPS 140 Level 3 validated HSM platform.
129
+
- A hsmPlatform value of 1 means the key is protected by our previous FIPS 140 Level 2 HSM platform using nCipher HSMs.
130
+
- A hsmPlatform value of 0 means the key is protected by a FIPS 140 Level 1 HSM software cryptographic module.
131
+
- if this is not set by a Managed HSM pool, it is protected by our latest FIPS 140 Level 3 validated HSM platform.
132
+
133
+
It’s important to note that keys are bound to the HSM in which they were created. New keys are seamlessly created and stored in the new HSMs. While there is no way to migrate or transfer keys, new key versions are automatically in the new HSMs. For more information on how to migrate to a new key, see [How to migrate key workloads](../general/migrate-key-workloads.md).
127
134
128
135
For more information on IntDate and other data types, see [About keys, secrets, and certificates: [Data types](../general/about-keys-secrets-certificates.md#data-types).
Copy file name to clipboardExpand all lines: articles/key-vault/keys/about-keys.md
+7-6Lines changed: 7 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ tags: azure-resource-manager
9
9
ms.service: key-vault
10
10
ms.subservice: keys
11
11
ms.topic: overview
12
-
ms.date: 01/24/2023
12
+
ms.date: 02/09/2024
13
13
ms.author: mbaldwin
14
14
---
15
15
@@ -38,9 +38,9 @@ Cryptographic keys in Key Vault are represented as JSON Web Key [JWK] objects. T
38
38
39
39
The base JWK/JWA specifications are also extended to enable key types unique to the Azure Key Vault and Managed HSM implementations.
40
40
41
-
HSM-protected keys (also referred to as HSM-keys) are processed in an HSM (Hardware Security Module) and always remain HSM protection boundary.
41
+
HSM Keys in vaults are protected". The Software keys are not protected by HSMs.
42
42
43
-
-Vaults use **FIPS 140-2 Level 2**validated HSMs to protect HSM-keys in shared HSM backend infrastructure.
43
+
-Keys stored in vaults benefit from robust protection using **FIPS 140-2 HSMs**. There are two distinct HSM platforms available: 1, which protects key versions with **FIPS 140-2 Level 2** and 2, which protects keys with **FIPS 140-2 Level 3** HSMs depending on when the key was created. All new keys and key versions are now created using platform 2 (except UK geo). To determine which HSM Platform is protecting a key version, get it's [hsmPlatform](about-keys-details.md#key-attributes).
44
44
- Managed HSM uses **FIPS 140-2 Level 3** validated HSM modules to protect your keys. Each HSM pool is an isolated single-tenant instance with its own [security domain](../managed-hsm/security-domain.md) providing complete cryptographic isolation from all other HSMs sharing the same hardware infrastructure.
45
45
46
46
These keys are protected in single-tenant HSM-pools. You can import an RSA, EC, and symmetric key, in soft form or by exporting from a supported HSM device. You can also generate keys in HSM pools. When you import HSM keys using the method described in the [BYOK (bring your own key) specification](../keys/byok-specification.md), it enables secure transportation key material into Managed HSM pools.
@@ -72,9 +72,10 @@ Key Vault supports RSA and EC keys. Managed HSM supports RSA, EC, and symmetric
72
72
73
73
|Key type and destination|Compliance|
74
74
|---|---|
75
-
|Software-protected keys in vaults (Premium & Standard SKUs) | FIPS 140-2 Level 1|
76
-
|HSM-protected keys in vaults (Premium SKU)| FIPS 140-2 Level 2|
77
-
|HSM-protected keys in Managed HSM|FIPS 140-2 Level 3|
75
+
|Software-protected (hsmPlatform 0) keys in vaults | FIPS 140-2 Level 1|
76
+
|hsmPlatform 1 protected keys in vaults (Premium SKU)| FIPS 140-2 Level 2|
77
+
|hsmPlatform 2 protected keys in vaults (Premium SKU)| FIPS 140-2 Level 3|
78
+
|Keys in Managed HSM are always HSM protected|FIPS 140-2 Level 3|
78
79
|||
79
80
80
81
See [Key types, algorithms, and operations](about-keys-details.md) for details about each key type, algorithms, operations, attributes, and tags.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments