Key Points
- Azure now ships with built-in Azure Integrated HSM on new servers to keep keys in hardware instead of software.
- The Azure Integrated HSM firmware and drivers are open source, with plans to expand open hardware work via OCP.
- Azure V7 virtual machines will offer this globally in the coming weeks for all customers.
What is changing
Azure is adding a hardware security module directly into every new server. It meets FIPS 140-3 Level 3 and is designed to prevent keys from ever appearing in host or guest memory. OCP will publish the firmware, drivers, and software stack, plus an audit report already available on GitHub.
This complements Azure Key Vault and Azure Managed HSM by protecting keys while workloads use them. It also supports TDISP to bind the module to confidential computing. There is no timeline or certainty about how widely it will be adopted beyond regulated or sovereign scenarios.
Why it matters
Cloud architects and IT admins managing regulated workloads will care most. They may get stronger isolation for active keys without network calls, but migration steps and limits are still uncertain for now.
DevOps teams running on Azure V7 virtual machines can opt in once it is available. Impact is likely limited at first and will depend on region and SKU choices as rollouts proceed.
Share your plans or early testing results for the Azure Integrated HSM in the comments if you have started.