Global Encryption Trends 2023: Insights into data protection strategies Download Report

Tag: key management service

Cloud Key Management Service Options, Education Center

What are the services provided by Microsoft Azure?

by Puneet
Last updated on

  • Master Key Types

    Microsoft Azure offers 2048, 3072, and 4096 bit RSA asymmetric master keys, but it does not support any symmetric master keys.

  • Encryption Modes

    Microsoft Azure does not offer symmetric encryption methods, but does offer two asymmetric encryption methods: RSA OAEP and RSA PKCS#1v1.5.

  • Plaintext Size Limits

    Microsoft Azure offers a plaintext size limit of 0.25KB.

  • Bring Your Own Key (BYOK) Options: To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Microsoft Azure takes an RSA key that is wrapped by AES and RSA-OAEP.

  • Signature Modes

    To ensure the integrity of data-in-transit, signatures are used. Microsoft Azure offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, ECDSA with P-512, ECDSA with SECP-256k1. and ECDSA with P-384 signature methods.

  • Cloud HSM Compliance

    Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. Microsoft Azure’s regular Vault HSM is FIPS 140-2 level 2 compliant and its Managed HSM is FIPS 140-2 level 3 compliant.

  • Azure Key Vault Features

    Azure Key Vault protects keys and secrets with HSMs or software appliances. Both Azure Services and the customer can access the keys and secrets that are stored. Azure Key Vault is FIPS 140-2 Level 2 compliant and only supports asymmetric keys. It also supports RSA keys of sizes 2048, 3072 and 4096and Elliptic Curve key types P-256, P-384, P-521, and P-256K (SECP256K1). Azure Key Vault supports customer managed keys and manages tokens, passwords, certificates, API keys, and other secrets.

  • Azure Dedicated HSM Features

    Azure Dedicated HSM stores keys on an on-premises Luna HSM. This key storage is only accessible by the customer, allowing users to manage keys and not have to worry about the CSP having access to the keys. Azure Dedicated HSM is FIPS 140-2 Level 3 compliant and supports symmetric and asymmetric keys. It also supports RSA, DSA, Diffie-Hellman, Elliptic Curve Cryptography (ECDSA, ECDH, Ed25519, ECIES) with named, user-defined, and Brainpool curves, and KCDSA for asymmetric keys. Symmetric keys created with AES-GCM, Triple DES, DES, ARIA, SEED, RC2, RC4, RC5, and CAST are accepted by Azure Dedicated HSM. For Hash/Message Digest/HMAC, SHA-1, SHA-2, and SM3 are accepted, for key derivation SP800-108 Counter Mode is accepted, and for key wrapping SP800-38F is accepted. Azure Dedicated HSM is capable of offline key backup, and single device provisioning, but customer managed keys are not supported.

Tags:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

You might also be interested in

Where is PKI used?
Where is PKI used?
What is Certificate Scanning?
What is Certificate Scanning?
What are the two types of CA?
What are the two types of CA?

Explore More Topics

Cloud Key Management Service Options, Education Center

What services does Amazon Web Services (AWS) Provide?

by Puneet
Last updated on

  • Master Key Types

    Amazon Web Services (AWS) offers 2048, 3072, and 4096 bit RSA asymmetric master keys. It is also one of the only Cloud Service Providers (CSPs) to offer 256 bit symmetric master keys.

  • Encryption Modes

    AWS offers symmetric AES GCM and asymmetric RSA OAEP encryption methods.

  • Plaintext Size Limits

    Amazon Web Services offers a plaintext size limit of 4KB.

  • Bring Your Own Key (BYOK) Options

    To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped. Amazon Web Services takes an AES-256 key that is wrapped by RSA 2048.

  • Signature Modes

    To ensure the integrity of data-in-transit, signatures are used. AWS offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, ECDSA with P-512, ECDSA with SECP-256k1. and ECDSA with P-384 signature methods.

  • Cloud HSM Compliance

    Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. Amazon Web Services regular KMS HSM is FIPS 140-2 level 2 compliant and the AWS Custom Keystore CloudHSM is FIPS 140-2 level 3 compliant.

  • Amazon KMS Features

    AWS KMS has a managed service in AWS cloud for key storage. Both customers and AWS services can access keys stored in this way. AWS KMS is FIPS 140-2 Level 2 compliant and supports symmetric and asymmetric keys. It also supports RSAES_OAEP_SHA_1 and RSAES_OAEP_SHA_256 encryption algorithms with RSA 2048, RSA 3072, and RSA 4096 key types. Encryption algorithms cannot be used with the elliptic curve key types (ECC NIST P-256, ECC NIST P-384, ECC NIST-521, and ECC SECG P-256k1). When using elliptic curve key types, AWS KMS supports the ECDSA_SHA_256, ECDSA_SHA_384, and ECDSA_SHA_512 signing algorithms. AWS KMS is capable of limited key management, storage and auditing, and encryption.

  • Amazon CloudHSM Features

    AWS CloudHSM has a dedicated hardware appliance in AWS cloud for key storage. This key storage is only accessible by the customer, allowing users to manage keys and not have to worry about the CSP having access to the keys.
    AWS CloudHSM is FIPS 140-2 Level 3 compliant and supports symmetric and asymmetric keys. It also supports 2048-bit to 4096-bit RSA keys, in increments of 256 bits, 128, 192, and 256-bit AES keys, 3DES 192-bit keys, and keys with the P-224, P-256, P-384, P-521, and secp256k1 curves. Only the P-256, P-384, and secp256k1 curves are supported for sign and verify.
    AWS CloudHSM is capable of key management, key storage and auditing, and being provided as the root of trust for PKIs.

    Tags:

    Free Downloads

    Datasheet of Encryption Consulting Services

    Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

    Download
    Encryption Services

    About the Author

    President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

    You might also be interested in

    What is Certificate Management? SSL, TLS Certificate Management?
    What is Certificate Management? SSL, TLS Certificate Management?
    What is Secure Shell (SSH)? How does Secure Shell work?
    What is Secure Shell (SSH)? How does Secure Shell work?
    What is ECDSA Encryption? How does it work?
    What is ECDSA Encryption? How does it work?

    Explore More Topics

    Cloud Key Management Service Options, Education Center

    What are Google Cloud Platform (GCP) services?

    by Puneet
    Last updated on

    • Master Key Types

      Google Cloud Platform (GCP) offers 2048, 3072, and 4096 bit RSA asymmetric master keys.  It is also one of the only Cloud Service Providers (CSPs) to offer 256 bit symmetric master keys.

    • Encryption Modes

      GCP offers symmetric AES GCM and asymmetric RSA OAEP encryption methods.

    • Plaintext Size Limits

      Google Cloud Platform offers a plaintext size limit of 64KB.

    • Bring Your Own Key (BYOK) Options

      To utilize BYOK, the key being used on the cloud must first be imported the Cloud Service Provider, and to import the key, it must first be wrapped.Google Cloud Platform takes an AES-256 key that is wrapped by RSA 3072.

    • Signature Modes

      To ensure the integrity of data-in-transit, signatures are used. GCP offers RSA-PSS, RSA PKCS#1V1.5, ECDSA with P-256, and ECDSA with P-384 signature methods.

    • Cloud HSM Compliance

      Each Cloud Service allows users to store keys in a cloud HSM, but the cloud HSM for each service has different compliancy certificates. All HSM keys on Google Cloud Platform are FIPS 140-2 level 3 compliant.

    • Google Cloud KMS Features

      Google Cloud KMS can store keys in either an HSM or a software application. This key storage can be accessed by both the customer and the CSP. Google Cloud KMS is FIPS 140-2 Level 3 compliant if an HSM is used, and FIPS 140-2 Level 1 compliant if software keys are used. Google Cloud KMS supports symmetric and asymmetric keys. It also supports 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM), padded with Cloud KMS-internal metadata and RSA keys of sizes 2048, 3072 and 4096.Google Cloud KMS is capable of key management, storage, auditing, encryption, encryption for Kubernetes, and both HSM and software key management.

    Tags:

    Free Downloads

    Datasheet of Encryption Consulting Services

    Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

    Download
    Encryption Services

    About the Author

    President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

    You might also be interested in

    What is PCI DSS? How do you become compliant with PCI DSS?
    What is PCI DSS? How do you become compliant with PCI DSS?
    What is Key Management? How does Key Management work?
    What is Key Management? How does Key Management work?
    What is an API?
    What is an API?

    Explore More Topics

    Let's talk