As cloud workloads grow more autonomous and AI systems process increasingly sensitive data, trust needs to be baked directly into the underlying infrastructure. Azure Integrated HSM embeds hardware-level key protection natively within Azure, stretching cryptographic trust from the chip itself all the way up to running services through a design that is both verifiable and transparent.
Cloud workloads are becoming more autonomous, and AI systems are handling data that is more critical than ever. Because of this, trust must be woven into infrastructure at every level. At Microsoft, security is built into the very foundation of our cloud platform, starting at the silicon layer and extending up through every service. With the Azure Integrated Hardware Security Module (HSM), Microsoft is fundamentally changing how cryptographic trust is provided in the cloud.
Azure Integrated HSM is a tamper-resistant, Microsoft-designed hardware security module that comes built into every new Azure server. It enhances existing key management services by delivering hardware-enforced protection right where workloads run. Instead of depending only on centralized services, this approach turns hardware-backed security into a built-in feature of the compute platform itself.
Azure Integrated HSM is designed to comply with FIPS 140-3 Level 3, the top benchmark for hardware security modules trusted by governments and regulated industries around the globe. Level 3 demands robust tamper resistance, strict hardware-enforced isolation, and safeguards against both physical and logical key extraction. By embedding these guarantees directly into the platform, Azure makes elite compliance levels a standard part of the cloud experience rather than a niche configuration or paid upgrade.
Building trust through transparency with open-source designs
Our philosophy for hardware security rests on a straightforward principle: transparency earns trust, and collaboration across the industry makes security stronger. When designs are open, customers, partners, and regulators can examine design decisions and confirm security boundaries for themselves.
This week at the Open Compute Project (OCP) EMEA Summit, we shared plans to open Azure Integrated HSM to the wider open hardware community. Through OCP, we intend to release the Azure Integrated HSM firmware, driver, and software stack as open source, and establish an OCP workgroup to oversee future development covering architectural design, protocol specifications, firmware, and hardware. The Azure Integrated HSM firmware is already accessible through the Azure Integrated HSM GitHub repository, along with independent validation materials such as the OCP SAFE audit report.
This level of openness matters especially for regulated industries and sovereign cloud use cases, where security controls must be independently verified. By putting key components up for external review, Azure Integrated HSM lets customers, partners, and regulators evaluate implementation specifics directly instead of depending solely on claims made by the vendor.
This approach deepens confidence in the platform and lays a more transparent and verifiable groundwork for cloud security, while cutting dependence on proprietary vendor-specific protocols. At a moment in time when cryptographic trust supports everything from AI inference to national digital infrastructure, open-sourcing the HSM represents a concrete move toward interoperability, the ability to audit, and stronger customer confidence.
A layered approach to key management
This architecture works hand in hand with services such as Azure Key Vault and Azure Managed HSM, which continue to deliver centralized key lifecycle management, governance, and policy enforcement. Azure Integrated HSM introduces an additional tier — one that extends cryptographic protection all the way down to the individual server, ensuring keys are safeguarded not only at rest but also while actively in use by workloads. The Azure Integrated HSM also supports industry standards like TDISP, enabling secure connections between the HSM and confidential computing environments.
In the coming weeks, Azure Integrated HSM will roll out to Azure V7 virtual machines and be accessible to all customers worldwide.
Setting a new standard for server-local key protection at scale
With Azure Integrated HSM, encryption keys are created, stored, and operated on entirely within hardened hardware. Keys are designed to never surface in host memory, guest memory, or any software process — even while cryptographic operations are actively underway. By confining keys within the hardware boundary at all times, Azure Integrated HSM removes entire categories of key and credential theft attacks that target memory or software layers.
The outcome is genuine customer control enforced by the silicon itself, not by policy alone. Security no longer hinges on perfect operational practices or intricate isolation assumptions; it is guaranteed by hardware.
Conventional cloud security architectures depend on centralized HSM services reached over the network. Although effective, these setups bring shared blast radius concerns, scaling difficulties, and performance limitations as workloads expand.
By anchoring cryptographic protection directly to each server, security grows naturally alongside compute resources. There are no shared chokepoints, no extra network round trips, and no requirement to sacrifice performance for safety. As Azure grows, security grows right alongside it.
Hardware roots of trust, measured boot, and attestation mean Azure Integrated HSM makes trust something that can be proven rather than merely promised. Customers and regulators can cryptographically verify that the correct hardware, firmware, and configurations are in place. The open-source firmware adds yet another layer of verifiability. Trust is no longer something you take on faith — it is something you can demonstrate.
Taken together, these capabilities define a fresh baseline for cloud security, one where hardware-enforced, verifiable trust becomes the standard for everything from core infrastructure services to the next generation of AI workloads.
Azure Integrated HSM works seamlessly with confidential computing hardware, open silicon trust foundations, Azure Boost technology, and secure control systems operating across entire datacenters. By combining these elements, it creates a comprehensive trust chain that spans from hardware to software applications, addressing evolving demands in the age of artificial intelligence.
We welcome cloud users, technology partners, and open-source developers worldwide to participate in advancing this framework and influencing upcoming industry-wide security standards. Through collective effort, we can design cloud solutions that are protected, independently governed, and built on open principles—ready to meet emerging challenges.
To explore further, check out the release announcement post and discover additional details on Azure’s security capabilities.
