Ensure key vault key is backed by HSM

Error: Key vault key is not backed by HSM

Bridgecrew Policy ID: BC_AZR_GENERAL_17
Checkov Check ID: CKV_AZURE_112
Severity: LOW

Key vault key is not backed by HSM


For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.
You should be aware of the cost implications of using an HSM and whether this fits in with your security posture.

Fix - Buildtime


  • Resource: azurerm_key_vault_key
  • Argument: key_type - (Required) Specifies the Key Type to use for this Key Vault Key. Possible values are EC (Elliptic Curve), EC-HSM, Oct (Octet), RSA and RSA-HSM. Changing this forces a new resource to be created.
resource "azurerm_key_vault_key" "generated" {
+  key_type     = "RSA-HSM"

Select an option with "-HSM" to pass this check.