step-kms-plugin icon indicating copy to clipboard operation
step-kms-plugin copied to clipboard

Published 20 hours ago verified publisher icon smallstep

[Request] Support for Azure Managed HSM Vaults

Open tollercode opened this issue 1 year ago • 9 comments

Azure also offers Managed HSM that are FIPS 140-2 lvl 3 compliant. These instances follow the AKV API (no secret & cert support)

It would be nice to have the option to also use managed. Managed HSM should support the action: getKey & signKey

The only difference is, that they use a different default endpoint: <your-HSM-name>.managedhsm.azure.net

Maybe that could be supported by setting a new optional flag within the uri parameter. E.g. managedhsm=true, or hsm=premium|managed|dedicated

premium = Current behavior using Premium AKV managed = using Azure Managed HSM dedicated = future implementation to support dedicated Azure HSM instances

See for a comparison of different AKV SKU

tollercode avatar Feb 08 '24 09:02 tollercode

Hi @tollercode, do you know if this service is available in different clouds? I cannot find information about that, see https://github.com/Azure/azure-sdk-for-go/blob/40a6c1541dd6f0beb3637a2d9b8e7621f4a6ac88/sdk/azcore/cloud/cloud.go#L9-L22

maraino avatar Feb 08 '24 18:02 maraino

Hey @maraino

According to this here It is only available in the common cloud. No CN or Governmental clouds.

tollercode avatar Feb 13 '24 11:02 tollercode

Hi @tollercode, I added some support in this PR https://github.com/smallstep/crypto/pull/427

I'm going with managedhsm=true, as it looks like dedicated HSM uses Thales' own SDK or a PKCS#11 module.

One thing that I'm not currently enforcing is the use of the HSM key types when a new key is created (azkeys.JSONWebKeyTypeECHSM and azkeys.JSONWebKeyTypeRSAHSM). To do this, you will need to add hsm=true. But I would like you to test if the "soft" versions work on a managedhsm or if we must default to the HSM versions.

I don't see anything specific to the premium tier, I believe the SDK will work as it is.

An easy way to pull step-kms-plugin and the branch in crypto and add go.work file to step-kms-plugin so it compiles with the proper crypto:

go 1.20

use .
use ../crypto

maraino avatar Feb 14 '24 02:02 maraino

Hey @maraino,

Azure Managed HSM would only support the EC-HSM and RSA-HSM Key types, whereas Premium tier Key Vaults do support both software and HSM backed keys. See https://learn.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types or https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys#hsm-protected-keys

Also keen for this to be added in a future release.

thecmdradama avatar Oct 01 '24 08:10 thecmdradama

@thecmdradama, Do you have the ability to test the changes in my PR? The main reason it wasn't merged is that I wasn't able to test it.

maraino avatar Oct 07 '24 23:10 maraino

Hi @maraino, not easily with just those changes unfortunately.

If I could get a test docker image of step-ca, I can run up a Managed HSM in my own lab environment to validate.

thecmdradama avatar Oct 08 '24 00:10 thecmdradama

If I could get a test docker image of step-ca, I can run up a Managed HSM in my own lab environment to validate.

@thecmdradama Would a docker image of step-kms-plugin work?

maraino avatar Oct 14 '24 23:10 maraino

@maraino Unfortunately I don't think it will. I believe that I would then have to compile my own step-ca container image using the test/dev kms plugin container

thecmdradama avatar Oct 18 '24 00:10 thecmdradama