One powerful feature of Windows Azure RMS is BYOK or Bring-Your-Own-Key. This feature is quite popular among customers with stringent security requirements (or, as I often say, the cloud using but also cloud reluctant crowd). We've tweaked our BYOK to not require flying to Redmond anymore...and no, this has nothing to do with Delta's recent changes to their frequent flyer program ;)
For those new to the BYOK offering, this feature allows Windows Azure RMS tenants to be in full control of their tenant key (the root of trust for RMS), and to 'pin their key' to a FIPS140-2 HSMs (hardware security modules). This feature is described in detail at http://technet.microsoft.com/en-us/library/dn440580.aspx.
Until now, for security reasons, the BYOK option has required tenants to fly to Redmond (where we are based) to import their key into Microsoft’s HSMs in person. Despite this requirement to visit us, the keys were still bound to HSMs in each of our main geographies: EU, US, or APAC. Said differently, though you made a trip to (rainy) Redmond, that requirement never did imply the keys would function with our US-based HSMs... something our friendly customers in the EU would prefer we not permit for obvious reasons.
Today we're happy to say that we added a significantly simpler and completely self-service option for BYOK. The new toolset enables you to transfer your key, from your on-premise HSM to Microsoft’s (per-GEO) HSMs, over the wire. There is no need to fly to Redmond anymore. Also, there is no need to spend a few hours with our friendly Azure RMS operators to execute the key ceremony'. By the way, if the concept of a 'key ceremony' means nothing to you, here is a video of a somewhat historical one.
We did this work in collaboration with our HSM partner Thales E-Security and so they vouch that this process results in a secure transfer of the key from your on-premises HSM into our data center HSMs in a manner that maintains the root principle of us never being able to see or export your key. This is described in this white paper from Thales: https://www.thales-esecurity.com/knowledge-base/white-papers/hardware-key-management-in-the-rms-cloud
Other than this new mechanism to import your key, all other aspects of BYOK stay the same. That includes pricing -- it is free -- as well as pre-requisites, restrictions, how Microsoft uses your key once you upload it, and how you get usage logs for your key.
The new toolset is in preview. If you would like to participate in this preview, please send email to mailto:firstname.lastname@example.org to get started.
If you want to stay in touch with us, follow us on twitter (@TheRMSGuy) and join in our RMS peer community at www.yammer.com/AskIPTeam.
Dan on behalf of the Rights Management team
Still wondering if there will be any support for SafeNet or other HSMs in Azure RMS...
At this time, no. The particularity of the offer implies strong ties to a given offering. Not saying never but at this time we're bound to a given HSM brand. If you have specific feedback, please send us a note to askIPteam@microsoft.com. Thanks
Will the BYOK Scenario work with Office 365 RMS(Exchange)?
it works with Office 365 but not with Exchange Online (out of the box)
and here is the site to import the RMS key manualy into Exchange Online
Hope that helps
Michael (MVP Office 365)
Hi guys that this mean that we can still use BYOK and Azure RMS, while using Exchange Online without RMS, i.e. using the standard email encryption S/MIME instead?