nShield Bring Your Own Key

Thales nShield BYOK uses certified HSMs to strengthen the security of your sensitive data in the cloud and puts you in control of the generation, storage and export of your keys.

With nShield Bring Your Own Key (BYOK), you bring your own keys to your cloud applications, whether you are using Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure. nShield high-assurance HSMs let you continue to benefit from the flexibility and economy of cloud services while you strengthen the security of your key management practices and gain greater control over your keys.

With Microsoft Azure and Office365 you benefit from your local security world architecture, as it can be securely expanded to the Microsoft data centers. Keys that are generated and managed locally can be used for cloud encryption.

Watch the Thales Video to see how nShield BYOK can strengthen your cloud key management with Microsoft Azure.

Bring Your Own Key with Azure Cloud Services

Deployed around the world in Azure data centers, Thales nShield hardware security modules safeguard and manage your keys in the cloud. Thales puts you in control, enabling you to create and transfer your own key for use with Microsoft Azure Key Vault.


MS Azure Business App diagram


When using Microsoft Azure, you do not have to give up control of the key securing your data in the cloud. Key Vault enables you to protect the keys in a Thales FIPS 140-2 certified hardware security modules (HSMs) managed by Microsoft.

For added assurance, a “bring your own key” (BYOK) capability is available that enables you can create and import your own keys from your own Thales HSM you keep at your premises. This ensures that keys are generated by you, they never leave the protected HSM boundary, and they are never visible to Microsoft.

Security Properties of Azure Key Vault

Azure Key Vault offers you multiple levels of control. The Key Vault server key becomes your key in Azure and you can trade off the level of control you desire versus cost and effort

  • By default, Azure generates and manages the lifecycle of your key
  • As an option, a unique Bring Your Own Key (BYOK) capability lets you generate your key on premises
  • For additional levels of security, near-real time usage logs allow you to see exactly how and when your key is being used.


info@ergonomics-europe.com | sales@ergonomics-europe.com


+41 58 311 1000



Headquarters Zürich

Ergonomics AG | Nordstrasse 15 | CH-8006 Zürich | Switzerland