Key Vault bring your own key (BYOK) is now generally available
Published date: 29 May, 2020
A new method to import keys into Azure Key Vault is now generally available.
The process of importing keys from on-premises HSMs to Key Vault HSMs is generally referred to as bring your own key (BYOK). Key Vault has supported BYOK with nCipher HSMs since its launch in 2015.
The new BYOK method will enable Azure customers to use any supported on-premises HSMs to generate keys and import them into Key Vault. Many customers prefer to use on-premise HSMs to generate keys to meet regulatory or compliance requirements.
The new method enables secure transfer of HSM-protected key to Key Vault HSM. The key to be transferred never exists outside an HSM in plaintext form. During the import process, the key material is protected with a key held in HSMs in Azure Key Vault. The original BYOK method (now referred to as nCipher BYOK) will be deprecated over time. We urge customers to start using this new method for importing HSM-protected keys to Key Vault.
Along with this announcement, the specification for the new BYOK method is also now available, to enable HSM vendors to provide BYOK tools to their customers. It also allows independent software vendors and customers to fully automate the BYOK process to fit their needs.
For details (including a list of supported HSMs), read Import HSM-protected keys into Key Vault (overview).