Inhaltsverzeichnis
Cloud Integration
Target audience: Cloud Architects, DevOps
Focus: HSM integration, Secrets Management, Multi-Cloud
Integration of PQ-enabled PKI with cloud HSM and secrets management services.
Overview
flowchart TB
subgraph ONPREM["ON-PREMISES"]
CA[CA Server]
HSM[HSM]
end
subgraph AZURE["AZURE"]
AKV[Azure Key Vault]
AHSM[Managed HSM]
end
subgraph AWS["AWS"]
ACM[AWS Certificate Manager]
KMS[AWS KMS]
CHSM[CloudHSM]
end
subgraph MULTI["MULTI-CLOUD"]
HV[HashiCorp Vault]
end
CA --> AKV & ACM & HV
HSM -.->|Backup| AHSM & CHSM
HV --> AZURE & AWS
style HV fill:#e8f5e9
style AKV fill:#e3f2fd
style ACM fill:#fff3e0
Cloud Provider Comparison
| Feature | Azure Key Vault | AWS KMS | HashiCorp Vault |
| ——— | —————– | ——— | —————– |
| HSM FIPS 140-2 | Level 3 (Managed HSM) | Level 3 (CloudHSM) | Level 2 (Transit) |
| PQ Support | Not yet | Not yet | Via plugins |
| Cert Management | Native | ACM | PKI Engine |
| Multi-Cloud | No | No | Yes |
| Cost | Medium | High (CloudHSM) | Open Source + Enterprise |
Scenarios
| Scenario | Cloud | HSM Type |
|---|---|---|
| Azure Key Vault | Azure | Managed HSM |
| AWS KMS + CloudHSM | AWS | CloudHSM |
| HashiCorp Vault | Multi-Cloud | Transit SE |
Decision Tree
flowchart TD
A[Cloud HSM needed?] --> B{Primary cloud?}
B -->|Azure| C[Azure Key Vault]
B -->|AWS| D[AWS KMS/CloudHSM]
B -->|Multi-Cloud| E[HashiCorp Vault]
B -->|On-Prem + Cloud| F[Vault + Cloud Integration]
C --> G{FIPS Level 3?}
G -->|Yes| H[Managed HSM]
G -->|No| I[Standard Key Vault]
D --> J{Budget?}
J -->|High| K[CloudHSM]
J -->|Medium| L[KMS]
style E fill:#e8f5e9
style H fill:#e3f2fd
style K fill:#fff3e0
Hybrid Strategy
Recommendation: On-premises Root CA + Cloud Intermediate for cloud workloads
| Component | Location | Rationale |
| ———– | ———- | ———– |
| Root CA | On-premises (HSM) | Highest security |
| Intermediate (Cloud) | Azure/AWS/Vault | Proximity to workloads |
| End Entity | Cloud | Auto-provisioning |
| Backup | Multi-Cloud | Disaster recovery |
Related Documentation
- Kubernetes Cert-Manager - K8s integration
- CA Backup - Cross-cloud backup
- Configuration - OpenSSL setup
« <- Operator Scenarios | -> Azure Key Vault »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 01:24 AM
