Introduction

This integration covers the creation and transfer of a cryptographic key for use with Azure Bring Your Own Key (BYOK) for Key Vault.

This cryptographic key is known as a tenant key if used with the Azure Rights Management Service (Azure RMS) and Azure Information Protection. The key is created within the protection of the nShield Hardware Security Module (HSM) on the customer’s premises. It is then securely transferred to Microsoft Azure.

The benefits of using an nShield HSM include:

Secure storage of the private key.
FIPS 140 validated hardware.

Product configurations

Entrust has successfully tested the use of an nShield HSM to generate and transfer a key into a Microsoft Azure Key Vault in the following configurations:

Internet-connected computer:

Product	Version
Base OS	Windows 11

Product

Version

Base OS

Windows 11

Offline computer:

Product	Version
Base OS	Windows Server 2025

Product

Version

Base OS

Windows Server 2025

If migrating from a tenant key managed by Microsoft to BYOK and you are using Microsoft Office 2010, you will need to contact Microsoft Support before proceeding with BYOK. This is because Microsoft Office 2010 with Azure RMS requires some additional configuration steps prior to migration to BYOK.

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

HSM	Security World	Firmware	Cloud Integration Option Pack (CIOP)
Edge	13.6.12 (LTS 4)	12.72.2 (FIPS 140-2 certified)	2.3.0
Edge	12.80.4	12.50.8
Edge	12.80.4	12.72.0
Edge	12.80.4	12.60.6
Edge	12.71.0	12.50.8
Edge	12.71.0	12.60.6

Supported nShield functionality

Feature	Support
Key Generation	Yes
Key Management	Yes
Key Import	Yes
Key Recovery	Yes
1-of-N Operator Card Set	Yes
K-of-N Operator Card Set	Yes
Softcards	Yes
Module-only Key	Yes
FIPS 140 Level 3 Support	Yes
Load Sharing	Yes
Fail Over	Yes

Feature

Support

Key Generation

Yes

Key Management

Yes

Key Import

Yes

Key Recovery

Yes

1-of-N Operator Card Set

Yes

K-of-N Operator Card Set

Yes

Softcards

Yes

Module-only Key

Yes

FIPS 140 Level 3 Support

Yes

Load Sharing

Yes

Fail Over

Yes

Requirements

Access to the Entrust TrustedCare Portal. This portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.
A premium Azure resource group. This level is required to use HSM-backed keys with Azure Key Vault. See Azure Key Vault pricing.
An Entrust nShield HSM to protect your keys.
A dedicated offline computer to host the security world, for example a personal computer (PC). This computer will not be connected to a network via IP cable or Wi-Fi. It will be completely isolated.
An online (internet-connected) computer or virtual machine to manage the Azure account.
Portable media like a USB thumb drive.

Familiarize yourself with:

nShield Product Documentation.
CIOP v2.3.0 Install and User Guide. There you will find information on the key types available.
Managing the root key for your Azure Rights Management service.

For creation of the Security World:

Determine who within the organization will act as custodians of the ACS cards and their attendance at the key generation ceremony.
Obtain enough blank smartcards to create the Administrator Card Set (ACS). Six cards are delivered with the nShield HSM.

Define the Security World parameters as part of the preparation stage of the BYOK installation. For details of the security implications of the choices, see Security World infrastructure.

Setting	Description
FIPS 140 Level	Sets the operational compliance level of the HSM.
ACS quorum size (K-of-N)	Specifies the number of cards in the ACS (N) and the number of cards required to instantiate the Security World (the quorum or K). Choose a value of K and N to provide a degree of resiliency in the unlikely event of card failure, or lost card.
Cipher suite	Sets the symmetric algorithm to be used for the Security World module key. The choices are AES or AES (SP800-131A compliant).
Delegation	Sets the required quorum of cards from the ACS for various operation such as setting the real time clock (RTC) and allowing read/write access to NVRAM. The default is to use the same quorum (K) value as that needed to instantiate the Security World.
Key recovery	Determines whether application keys can be recovered if the Softcard protecting the application key is lost. This is on by default.
Passphrase recovery	Determines whether passphrases in use with Softcards can be replaced without knowing the original passphrase. This is off by default.

Setting

Description

FIPS 140 Level

Sets the operational compliance level of the HSM.

ACS quorum size (K-of-N)

Specifies the number of cards in the ACS (N) and the number of cards required to instantiate the Security World (the quorum or K). Choose a value of K and N to provide a degree of resiliency in the unlikely event of card failure, or lost card.

Cipher suite

Sets the symmetric algorithm to be used for the Security World module key. The choices are AES or AES (SP800-131A compliant).

Delegation

Sets the required quorum of cards from the ACS for various operation such as setting the real time clock (RTC) and allowing read/write access to NVRAM. The default is to use the same quorum (K) value as that needed to instantiate the Security World.

Key recovery

Determines whether application keys can be recovered if the Softcard protecting the application key is lost. This is on by default.

Passphrase recovery

Determines whether passphrases in use with Softcards can be replaced without knowing the original passphrase. This is off by default.