Inhaltsverzeichnis
Cloud Integration
Zielgruppe: Cloud-Architekten, DevOps
Fokus: HSM-Integration, Secrets Management, Multi-Cloud
Integration der PQ-fähigen PKI mit Cloud-HSM und Secrets-Management-Diensten.
Übersicht
flowchart TB
subgraph ONPREM["🏢 ON-PREMISES"]
CA[CA-Server]
HSM[HSM]
end
subgraph AZURE["☁️ AZURE"]
AKV[Azure Key Vault]
AHSM[Managed HSM]
end
subgraph AWS["☁️ AWS"]
ACM[AWS Certificate Manager]
KMS[AWS KMS]
CHSM[CloudHSM]
end
subgraph MULTI["☁️ MULTI-CLOUD"]
HV[HashiCorp Vault]
end
CA --> AKV & ACM & HV
HSM -.->|Backup| AHSM & CHSM
HV --> AZURE & AWS
style HV fill:#e8f5e9
style AKV fill:#e3f2fd
style ACM fill:#fff3e0
Cloud-Provider Vergleich
| Feature | Azure Key Vault | AWS KMS | HashiCorp Vault |
| ——— | —————– | ——— | —————– |
| HSM FIPS 140-2 | Level 3 (Managed HSM) | Level 3 (CloudHSM) | Level 2 (Transit) |
| PQ-Support | ❌ Noch nicht | ❌ Noch nicht | ✓ Via Plugins |
| Cert Management | ✓ Native | ✓ ACM | ✓ PKI Engine |
| Multi-Cloud | ❌ | ❌ | ✓ |
| Kosten | Mittel | Hoch (CloudHSM) | Open Source + Enterprise |
Szenarien
| Szenario | Cloud | HSM-Typ |
|---|---|---|
| Azure Key Vault | Azure | Managed HSM |
| AWS KMS + CloudHSM | AWS | CloudHSM |
| HashiCorp Vault | Multi-Cloud | Transit SE |
Entscheidungsbaum
flowchart TD
A[Cloud-HSM benötigt?] --> B{Primäre Cloud?}
B -->|Azure| C[Azure Key Vault]
B -->|AWS| D[AWS KMS/CloudHSM]
B -->|Multi-Cloud| E[HashiCorp Vault]
B -->|On-Prem + Cloud| F[Vault + Cloud-Integration]
C --> G{FIPS Level 3?}
G -->|Ja| H[Managed HSM]
G -->|Nein| I[Standard Key Vault]
D --> J{Budget?}
J -->|Hoch| K[CloudHSM]
J -->|Mittel| L[KMS]
style E fill:#e8f5e9
style H fill:#e3f2fd
style K fill:#fff3e0
Hybrid-Strategie
Empfehlung: On-Premises Root-CA + Cloud Intermediate für Cloud-Workloads
| Komponente | Location | Begründung |
| ———— | ———- | ———— |
| Root-CA | On-Premises (HSM) | Höchste Sicherheit |
| Intermediate (Cloud) | Azure/AWS/Vault | Nähe zu Workloads |
| End-Entity | Cloud | Auto-Provisioning |
| Backup | Multi-Cloud | Disaster Recovery |
Verwandte Dokumentation
- Kubernetes Cert-Manager – K8s Integration
- CA Backup – Cross-Cloud Backup
- Konfiguration – OpenSSL Setup
« ← Operator-Szenarien | → Azure Key Vault »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: den 29.01.2026 um 15:13
