Cloud HSM and Managed HSM Services

Cloud HSM services provide dedicated, single-tenant hardware security modules hosted in cloud data centers. You get the same FIPS 140-2 Level 3 tamper-resistant key protection as on-premises HSMs, without managing physical hardware, firmware updates, or data center logistics. The cloud provider manages availability and hardware lifecycle; you manage the keys, access policies, and cryptographic operations. The key material is yours — the provider cannot access it — but it’s permanently bound to their infrastructure.

Why it matters

• No hardware procurement — on-premises HSMs cost $20,000-$100,000+ per unit, plus rack space, power, cooling, and maintenance contracts. Cloud HSMs start at ~$1-2/hour with no upfront cost.
• FIPS 140-2 Level 3 — meets the same compliance bar as on-premises HSMs. Required for CA keys, payment processing, and federal workloads.
• Instant availability — provision an HSM cluster in minutes via API. No 6-week procurement cycle.
• Cloud-native integration — direct integration with cloud services (KMS, EKS/GKE/AKS, Lambda, databases). No network bridging between on-premises HSM and cloud workloads.
• Vendor lock-in — keys generated in a cloud HSM cannot be exported. Migrating to another provider means generating new keys and re-encrypting everything. This is by design (security), but it’s a business constraint.

How it works

1. Provision HSM cluster — create an HSM cluster in your cloud VPC/VNet (typically 2+ nodes for HA)
2. Initialize — set crypto officer credentials, configure quorum authentication
3. Generate keys — create keys inside the HSM via PKCS#11, JCE, or cloud-native API
4. Use keys — applications call the HSM for signing, encryption, decryption, key wrapping
5. Manage lifecycle — rotate keys, update access policies, audit usage logs
6. Backup — cloud provider handles hardware redundancy; you handle key backup (to other HSMs in the cluster)

In real systems

AWS CloudHSM:

# Create cluster
aws cloudhsmv2 create-cluster --hsm-type hsm1.medium \
  --subnet-ids subnet-abc subnet-def

# Initialize and create crypto user
/opt/cloudhsm/bin/cloudhsm-cli interactive
> cluster activate
> user create --username crypto-officer --role crypto-user

# Use via PKCS#11 (OpenSSL, Nginx, Java)
# Or via JCE provider for Java applications
# Or via KMS custom key store (bridge CloudHSM to KMS API)

# Pricing: ~$1.50/hour per HSM (~$1,100/month)

Azure Managed HSM:

# Create managed HSM
az keyvault create --hsm-name my-hsm --resource-group rg \
  --location eastus --administrators user@example.com

# Generate key
az keyvault key create --hsm-name my-hsm --name ca-key \
  --kty EC --curve P-256 --ops sign verify

# Sign data
az keyvault key sign --hsm-name my-hsm --name ca-key \
  --algorithm ES256 --value $(echo -n "data" | base64)

# Pricing: ~$3.20/hour per HSM pool (~$2,300/month)
# FIPS 140-2 Level 3 (Marvell LiquidSecurity)

Google Cloud HSM (via Cloud KMS):

# Create HSM-backed key
gcloud kms keys create ca-signing-key \
  --keyring=pki-keyring --location=us-east1 \
  --purpose=asymmetric-signing \
  --default-algorithm=ec-sign-p256-sha256 \
  --protection-level=hsm

# Sign
gcloud kms asymmetric-sign \
  --location=us-east1 --keyring=pki-keyring \
  --key=ca-signing-key --version=1 \
  --digest-algorithm=sha256 --input-file=data.bin \
  --signature-file=sig.bin

# Pricing: $1-2/key version/month + $0.03-0.15 per operation
# FIPS 140-2 Level 3 (Cavium/Marvell)

Comparison:

                    AWS CloudHSM    Azure Managed HSM   Google Cloud HSM
FIPS Level          Level 3         Level 3             Level 3
Pricing Model       Per-hour        Per-hour            Per-key + per-op
PKCS#11 Support     Yes (native)    No (REST API only)  No (REST API only)
Min Cost/Month      ~$1,100         ~$2,300             ~$50 (low volume)
Multi-Region        Manual          Built-in            Built-in
Key Export          No              No (BYOK import)    No (BYOK import)

Where it breaks

Cost surprise at scale — a team provisions AWS CloudHSM for a single CA key. Cost: $1,100/month for one HSM (need 2 for HA = $2,200/month). For a single key that signs once per day. Cloud KMS with HSM protection level (Google) would cost $1/month for the same use case. Match the service tier to your actual requirements — dedicated HSM is for high-volume or strict compliance needs, not every key.

No PKCS#11 on Azure/Google — your CA software (EJBCA, OpenXPKI) requires PKCS#11 to access the signing key. Azure Managed HSM and Google Cloud HSM only offer REST APIs. You need AWS CloudHSM (which has native PKCS#11) or an on-premises HSM. Always verify API compatibility before choosing a cloud HSM provider.

Key stuck in one provider — you generate your Root CA key in AWS CloudHSM. Two years later, you’re migrating to Azure. The Root CA key cannot be exported — it’s permanently in AWS. Your options: keep paying AWS for that one HSM forever, or create a new Root CA in Azure and redistribute trust (months of work). Plan for this at key generation time: consider whether the key needs to be portable.

Operational insight

The decision between Cloud KMS (multi-tenant, FIPS Level 2, API-based) and Cloud HSM (dedicated, FIPS Level 3, higher cost) should be driven by compliance requirements, not security paranoia. For most encryption keys (data at rest, application secrets), Cloud KMS at Level 2 is sufficient and 10-100x cheaper. Reserve Cloud HSM for: CA signing keys (WebTrust requires Level 3), payment processing keys (PCI PIN requires Level 3), and government workloads (FedRAMP High requires Level 3). Using dedicated HSM for everything is like using a bank vault to store your lunch — technically more secure, but the cost doesn’t match the risk.

Related topics

• What are Hardware Security Modules
• HSM Key Ceremonies
• Cloud-based PKI
• What is FIPS 140-2/140-3
• KMIP