BYOK: Enable HSM and Key Vault traceability
When using the BYOK procedure, after uploading your HSM-generated key to the Key Vault there is zero traceability to confirm that what was uploaded in the cloud is actually what you have originally generated with your nCipher HSM.
The solution is very simple - nCipher HSMs already generate hashes for the generated keys in the security world metadata, AKV should store / display the hash after successful upload so you can verify your keys at any time.
Otherwise the following attack scenario is possible (if unlikely):
* Knowledge of the attack target's subscription ID (not particularly confidential information at large corporations using dozens of services under one subscription)
* Knowledge of the attack target's Azure region
* 1 compromised person in the BYOK-procedure chain
* Attacker's subscription in the appropriate region
* Attacker's own nCipher HSM
1. Generate key with attacker's HSM
2. Sign transfer package with target's subscription ID
3. Encrypt transfer package with appropriate Azure region key exchange keys
4. During the BYOK procedure (the key transfer packages are usually carried from the offline PAW to the online PAW on some kind of medium like a USB-stick) the compromised person or the attacker him- / herself swaps the target's transfer package with the attacker's transfer package (remember, it's signed for the target's subscription ID)
5. Key is uploaded to AKV with no positive traceability info and henceforth the attacker's key is used by the target to encrypt "whatever" without the target's having any possibility of knowing this
In my opinion this could be especially bad if a large company relied on AKV with BYOK in conjunction with Azure Information Protection to protect ALL their sensitive Mails and Documents.