[Request] Support for Azure Managed HSM Vaults

[tollercode]

Azure also offers Managed HSM that are FIPS 140-2 lvl 3 compliant. These instances follow the AKV API (no secret & cert support)

It would be nice to have the option to also use managed. Managed HSM should support the action: getKey & signKey

The only difference is, that they use a different default endpoint: <your-HSM-name>.managedhsm.azure.net

Maybe that could be supported by setting a new optional flag within the uri parameter. E.g. managedhsm=true, or hsm=premium|managed|dedicated

premium = Current behavior using Premium AKV managed = using Azure Managed HSM dedicated = future implementation to support dedicated Azure HSM instances

See for a comparison of different AKV SKU

[maraino]

Hi @tollercode, do you know if this service is available in different clouds? I cannot find information about that, see https://github.com/Azure/azure-sdk-for-go/blob/40a6c1541dd6f0beb3637a2d9b8e7621f4a6ac88/sdk/azcore/cloud/cloud.go#L9-L22

[tollercode]

Hey @maraino

According to this here It is only available in the common cloud. No CN or Governmental clouds.

[maraino]

Hi @tollercode, I added some support in this PR https://github.com/smallstep/crypto/pull/427

I'm going with managedhsm=true, as it looks like dedicated HSM uses Thales' own SDK or a PKCS#11 module.

One thing that I'm not currently enforcing is the use of the HSM key types when a new key is created (azkeys.JSONWebKeyTypeECHSM and azkeys.JSONWebKeyTypeRSAHSM). To do this, you will need to add hsm=true. But I would like you to test if the "soft" versions work on a managedhsm or if we must default to the HSM versions.

I don't see anything specific to the premium tier, I believe the SDK will work as it is.

An easy way to pull step-kms-plugin and the branch in crypto and add go.work file to step-kms-plugin so it compiles with the proper crypto:

go 1.20

use .
use ../crypto