I.2
The HSM does not lend, it retains
Material fusion — why the key never leaves the provider
The encryption key follows a similar logic, but with an added material constraint: across the three main hyperscalers (AWS, Azure, Google Cloud), the default encryption key generated by the native managed key service is, by design, never exportable in the clear.
◆ The empirical materiality — the AWS KMS case
AWS KMS technical documentation explicitly states that a key whose origin (the Origin parameter) is AWS_KMS can never be extracted, exported, or viewed outside the hardware security module (HSM) that holds it — only the public portion of an asymmetric key is an exception. The documentation also confirms that the format of symmetric ciphertexts produced by AWS KMS is not published, and that no other system, including another HSM, can decrypt content encrypted by that key.
◆ The empirical materiality — the Azure Key Vault case
Official Microsoft documentation confirms that a key protected by Azure Key Vault HSMs (Premium tier, nCipher/Thales chips, FIPS 140-2 Level 2 validation) can never be exported: the Key Exchange Key generated inside the HSM never exists in the clear outside of it, and no decrypted version of the customer's key can ever be returned by Microsoft once transferred. The associated application identity (Managed Identity) is itself tied to a service principal in Entra ID, valid only within the originating Azure tenant's directory.
◆ The empirical materiality — the Google Cloud KMS case
Official Google Cloud documentation confirms that a key created with an HSM protection level (ProtectionLevel=HSM) is generated, wrapped, and used exclusively inside HSMs certified at FIPS 140-2 Level 3: the service's very design guarantees the key can neither be unwrapped nor used outside the HSM, nor extracted from it. Workload Identity Federation, which avoids creating exportable service-account keys, remains itself a feature of Google Cloud's IAM control plane, activated and revocable only from that same control plane.
◆ What this symmetry establishes
All three hyperscalers converge on the same architecture: the encryption key generated by their native managed service never leaves their HSMs, whatever the precise FIPS certification (Level 2 for Azure Key Vault Premium, Level 3 for AWS CloudHSM and Google Cloud HSM). The mechanism documented in Chapter I is therefore not a quirk of a single provider, but a shared architectural convention across the three main market players.
◆ What this concretely means for an organization
An organization that wants to change cloud providers without losing access to its already-encrypted data must either re-encrypt the entire relevant data volume with a new key before the switch — an operation whose cost grows linearly with the volume of data already accumulated — or accept remaining dependent on the originating provider's key service to decrypt what was already encrypted there, even after the compute infrastructure itself has switched.
◆ What this mechanism does not claim
This chapter does not claim that external key import (Bring Your Own Key) resolves this mechanism: this feature, available across all three hyperscalers, moves key generation outside the provider but changes neither the HSM's hardware attestation nor the dependency on the proprietary API for every decrypt operation.