[Request] Support for Azure Managed HSM Vaults

[tollercode]

Azure also offers Managed HSM that are FIPS 140-2 lvl 3 compliant.
These instances follow the AKV API (no secret & cert support)

It would be nice to have the option to also use managed.
Managed HSM should support the action: getKey & signKey

The only difference is, that they use a different default endpoint: <your-HSM-name>.managedhsm.azure.net

Maybe that could be supported by setting a new optional flag within the uri parameter. E.g. managedhsm=true, or hsm=premium|managed|dedicated

premium = Current behavior using Premium AKV
managed = using Azure Managed HSM
dedicated = future implementation to support dedicated Azure HSM instances

See for a comparison of different AKV SKU

[maraino]

Hi @tollercode, do you know if this service is available in different clouds? I cannot find information about that, see
https://github.com/Azure/azure-sdk-for-go/blob/40a6c1541dd6f0beb3637a2d9b8e7621f4a6ac88/sdk/azcore/cloud/cloud.go#L9-L22

[tollercode]

Hey @maraino

According to this here
It is only available in the common cloud. No CN or Governmental clouds.

[maraino]

Hi @tollercode, I added some support in this PR smallstep/crypto#427

I'm going with managedhsm=true, as it looks like dedicated HSM uses Thales' own SDK or a PKCS#11 module.

One thing that I'm not currently enforcing is the use of the HSM key types when a new key is created (azkeys.JSONWebKeyTypeECHSM and azkeys.JSONWebKeyTypeRSAHSM). To do this, you will need to add hsm=true. But I would like you to test if the "soft" versions work on a managedhsm or if we must default to the HSM versions.

I don't see anything specific to the premium tier, I believe the SDK will work as it is.

An easy way to pull step-kms-plugin and the branch in crypto and add go.work file to step-kms-plugin so it compiles with the proper crypto:

go 1.20

use .
use ../crypto

[thecmdradama]

Hey @maraino,

Azure Managed HSM would only support the EC-HSM and RSA-HSM Key types, whereas Premium tier Key Vaults do support both software and HSM backed keys. See https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types or https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys#hsm-protected-keys

Also keen for this to be added in a future release.

[maraino]

@thecmdradama, Do you have the ability to test the changes in my PR? The main reason it wasn't merged is that I wasn't able to test it.

[thecmdradama]

Hi @maraino, not easily with just those changes unfortunately.

If I could get a test docker image of step-ca, I can run up a Managed HSM in my own lab environment to validate.

[maraino]

If I could get a test docker image of step-ca, I can run up a Managed HSM in my own lab environment to validate.

@thecmdradama Would a docker image of step-kms-plugin work?

[thecmdradama]

@maraino Unfortunately I don't think it will. I believe that I would then have to compile my own step-ca container image using the test/dev kms plugin container

[thecmdradama]

Hey @maraino,

I have recently acquired some Azure credits so I can now run a Managed HSM for more than a couple of hours without costing a fortune.

If you were able to get me a docker image for step-kms-plugin I'll see what I can cobble together to do some testing.