Every server, HSM-enabled by design.
Every server, HSM-enabled by design.
Every server, HSM-enabled by design.
Every server, HSM-enabled by design.
Every server, HSM-enabled by design.
Xorble specialises in innovative software solutions for cloud based cryptography and Public Key Infrastructure (PKI).
In an era of increasing cyber threats, we aim to provide robust tools that enhance digital security, allowing organisations to protect sensitive data and ensure secure communications.
The Xorble KSP for Azure Key Vault finally provides a safe and secure way to use certificates within Azure without exporting and copying private keys to every virtual machine that uses them.
The following comparison table shows different Azure Key Vault options for handling keys. When the Xorble Key Storage Provider is used with Premium Key Vault it provides the most cost effective HSM based solution on the Azure platform.
Option | Security Model | Windows Integration | FIPS Level | Tenancy | Pricing Model | Monthly Cost (USD) |
Key Vault Standard | Copy of keys | Yes | None | Multi | Per key | $0–$2 |
Key Vault Standard | Software Vault | No | FIPS 140-2 L2 | Multi | Per ops | $0–$5 |
Key Vault Premium | Shared HSM | No | FIPS 140-3 L3 | Multi | Per key+ops | $10–$120 |
KV Premium + Xorble KSP4KV | HSM via KSP | Yes | FIPS 140-3 L3 | Multi | KV + compute | $50–$200 |
Managed HSM | Dedicated cluster | No | FIPS 140-3 L3 | Single | Hourly | ~$3300 |
Azure Cloud HSM | Cluster | PKCS#11 | FIPS 140-3 L3 | Single | Hourly | ~$3300 |
Dedicated HSM | Appliance | Yes | FIPS 140-2 L3 | Single | Hourly | ~$3400 |
NOTES
- Key Vault Standard and Premium costs depend on operations and keys.
- Xorble costs depend on VM size,
- ~$175/month (PKI server, 4 CPU core 16GB of RAM)
- Managed / Cloud / Dedicated HSM are always-on hourly services
- (~$4.8/hour ≈ $3300/month)
Key Vault Premium + Xorble KSP provides the best balance of cost, security and Windows integration – The most cost-effective way to provide a FIPS-backed HSM service with true native Windows KSP integration for Azure VMs is Xorble KSP for Azure Key Vault.
Managed / Cloud / Dedicated HSM are justified where strict single-tenant isolation is required.
Cryptographic Software for the Cloud
Xorble KSP for Key Vault
The Xorble KSP for Key Vault is a Key Storage Provider (KSP) for general cryptographic use by Windows that uses Azure Key Vault as the key and certificate store.
The KSP is designed to provide a solution for organisations that require an HSM backed service for application such as PKI etc. The KSP supports RSA (2048, 3072 and 4096bit) and Elliptical Curve Algorithms (ECDSA at 256, 384 and 521 bits).
Block All Exportable Certificates via Policy
In an earlier blog, a simple PowerShell script was provided that allows all certificates within all Key Vaults to be dumped as PKCS#12 files. In theory, a simple fix for this is to create and apply a policy to block all Exportable Certificates via Policy – Using Azure policy, you can create a policy
Attacking Azure Key Vault for Fun
In an earlier blog, we described how Azure Key Vault allows exporting of the key material of certificates by default in most scenarios. So how can we go about exploiting this? The first and most obvious way is to enumerate all Azure Key Vaults that you have access to and simply dumping the keys out. [&helli
Introduction to Azure Key Vault
Azure Key Vault Azure Key Vault is a cloud service provided by Microsoft Azure that helps safeguard cryptographic keys and secrets used by cloud applications and services. Key Vault helps provide three main services, which can be accessed programmatically through APIs and includes Secret, Key and Certificat
Importance Of Secure Key Management using Azure Key Vault
The protection of private keys is of critical importance for the security and privacy of information protected using these keys. Azure Key Vault allows keys to be created that cannot be exported and in the case of the Premium Key Vault, the keys are protected by physical HSMs running in the cloud. “Yo
Every server, HSM-Enabled by default