Skip Navigation

Azure Dedicated HSM pricing

Manage hardware security modules that you use in the cloud

Azure Dedicated HSM allows you to do key management on a hardware security module that you control in the cloud. You can meet your compliance requirements such as FIPS 140-2 Level 3 and help ensure your keys are secure by using a cloud-hosted HSM. You can drastically reduce the latency of applications and increase their performance by running them in your own hardware security module in Azure.

For each HSM instance provisioned, customers will be charged an upfront fee of $5000 along with an hourly fee until the HSM is deprovisioned.

Hourly usage fee per HSM
Azure Dedicated HSM $4.85

The service is available in limited regions – To learn more about availability, please contact your local Microsoft representative.

Support & SLA

  • Billing and subscription management support is provided at no cost.
  • Technical support is available through various Azure support plans, starting at $29/month.
  • Service Level Agreement (SLA)—No SLA.

FAQ

  • Azure Dedicated HSM (hardware security module) is a cloud-based service that provides HSMs hosted in Azure datacenters that are directly connected to a customers’ virtual network. These are dedicated network HSM appliances (Gemalto's SafeNet Network HSM 7, FIPS 140-2 Level 3) available in a customers' private IP address space. Microsoft does not have any access to the cryptographic functionality of the HSMs. Only the customer has full administrative control and cryptographic control over these HSMs and can get full activity logs directly from the HSM. Dedicated HSMs help customers meet compliance/regulatory requirements such as GDPR, HIPAA, PCI-DSS, eIDAS and many others.
  • HSM (hardware security module) is a physical computing device used for safeguarding and managing cryptographic keys that can be used for cryptographic operations. The key material stays safe in a tamper-resistant, tamper-evident hardware module, while allowing authenticated/authorized applications to use the keys to perform cryptographic operations. The key material never leaves the HSM protection boundary.
  • HSMs are used for storing cryptographic keys that are used for cryptographic functionality such as SSL (secure socket layer), encrypting data, PKI (public key infrastructure), DRM (digital rights management), and signing documents.
  • Customers can provision HSMs in specific regions using PowerShell or command line interface. The customer specifies virtual network and subnet detail for the HSMs to be connected to. Once provisioned, the HSMs will be available in the designated subnet at an assigned IP addresses in the customer's private IP address space. Customers can then connect to the HSMs using the SSH tool for appliance management and administration, to setup HSM client connections, initialize HSMs, create partitions, define and assign roles such as partition officer, crypto officer and crypto user. Finally, a customer will use Gemalto provided HSM client tools/SDK/software to perform cryptographic operations from their applications.
  • By design, the customer has exclusive administrative control of the HSM device including monitoring, configuration and software/firmware maintenance. Considering Microsoft is not involved in this, we cannot ensure the health and hence uptime of the device.
  • Yes, a one-time setup fee is charged for every HSM deployment.
  • No. The Dedicated HSM service does not support integration with other Azure or Microsoft cloud services.

Resources

Estimate your monthly costs for Azure services

Review Azure pricing frequently asked questions

Learn more about Azure Dedicated HSM

Review technical tutorials, videos, and more resources

Added to estimate. Press 'v' to view on calculator View on calculator

Learn and build with $200 in credit, and keep going for free