Montag, 24. Juni 2019

Objectives, Doings and Limitations with Azure Information Protection and BYOK

·         BYOK pricing and restrictions

Azure Rights Management enables BYOK according to a model that Microsoft calls customer-managed tenant keys. This requires a customer to create an RSA 2048-bit key in their HSM and then export the key to the HSM in Microsoft's data center. This RSA key is then used to encrypt the document encryption keys used by Azure RMS. RSA 2048-bit keys correspond to 112-bit AES keys. This means that the AES 256-bit encryption provided by Azure RMS is really only 112 bits. The US government has advised against the use of AES encryption keys below 256 bits.

Overview about the necessary steps:

  • Create an HSM-based Azure Key Vault for a specific Azure region.
  • Generate your own key according to your IT policies. This requires e.g. Thales HSM, smartcards and support software.
  • Transfer the key from an HSM in your possession to HSMs owned and managed by Microsoft as provided by Azure Key Vault for your vault. This process ensures that your key never leaves the hardware protection boundary.
  • When you transfer your key to Microsoft, it remains protected by Thales HSMs. Microsoft has worked with Thales to ensure that the key cannot be recovered from Microsoft HSMs, and certificates are provided to ensure this.
  • Configuring Azure Information Protection to use the HSM-based key
  • Azure Key Vault's real-time usage protocols are available as an option. These can also be applied to BYOK to see exactly how and when the key is used with Azure Key Vault. Blob storage is required to store the logs.


The two scenarios and implementation differ fundamentally. HYOK is a kind of Azure RMS hybrid scenario. More details:

Prerequisites, Restrictions & Limitations

Support and SLA

  • Support for billing and subscription management is provided free of charge.
  • Technical support is available through various Azure support models from €24.456/month for Developer and €84.33/month in the Standard version.
  • SLA: Microsoft guarantees that in at least 99.9% of cases, Key Vault transaction requests will be processed within 5 seconds.

Call to Action

  • Evaluate the actual advantages and disadvantages of BYOK in the context of your requirements and specifications in detail with the data protection officer and the involved departments.
  • Calculate the costs for the implementation, the required services and hardware as well as the operating costs. Based on this, you create a cost-benefit analysis.
  • Do you have other services that are already using BYOK with Azure?Did you use your own key for other scenarios and therefore want to implement AIP BYOK as well?
  • Does HYOK meet your requirements better?