The traditional Microsoft BYOK approach is to generate a private/public key pair in a local/on-premise GP HSM and export/import it as a wrapped key pair into the Azure KeyVault.

The ESKM integration into the Azure KeyVault allows you to generate a private/public key pair in the ESKM, using FIPS approved algorithms, and push it to the Azure KeyVault to encrypt Azure SaaS, PaaS, and/or IaaS resources.

• The private/public key pair stays under the control of the customer - it can be managed and revoked directly from ESKM.
  
• In a BYOK scenario, the ESKM generates the keys and uploads them to the respective CSP.
• Only authorized users have access to unencrypted data.

The ESKM allows you to manage the entire key life cycle (generate, store, distribute/use, rotate/rekey and terminate/revoke).

Utimaco provides flexible deployment options:

• ESKM with integrated Utimaco GP HSM
• vESKM, which can be connected to external Utimaco GP HSM

General note: For redundancy reasons Utimaco recommends deploying ESKM in cluster mode!