Breaking: Microsoft announced today it is open-sourcing the firmware, driver, and software stack for its Azure Integrated Hardware Security Module (HSM)—a tamper-resistant chip built into every new Azure server. The move, unveiled at the Open Compute Project (OCP) EMEA Summit, aims to let customers, partners, and regulators independently verify the security of cryptographic operations running in the cloud.
"At Microsoft, we believe transparency is essential for trust—especially when AI and sensitive workloads rely on hardware-level encryption," said Mark Russinovich, Azure CTO, in a statement. "By opening the HSM's design to the community, we're enabling external validation of our security boundaries."
The Azure Integrated HSM is engineered to meet FIPS 140-3 Level 3, the highest standard for hardware security modules used by governments and regulated industries. It provides strong tamper resistance, hardware-enforced isolation, and protection against key extraction—now as a default property of Azure's compute platform rather than a premium add-on.
Background: What Is the Azure Integrated HSM?
Microsoft's Azure Integrated HSM is a dedicated security chip inserted into every new Azure server. It extends existing key management services by bringing hardware-backed protection directly to where workloads execute, eliminating reliance on centralized services alone.
The module is designed to protect cryptographic keys used for everything from AI inference to national digital infrastructure. Until today, its design was proprietary—only Microsoft and its auditors had full visibility into the implementation.
The Open-Source Announcement
At the OCP EMEA Summit this week, Microsoft committed to releasing the HSM's firmware, driver, and software stack as open source. It also launched an OCP workgroup to guide ongoing development of architectural design, protocol specifications, and hardware.
"We are making the firmware available now on our Azure Integrated HSM GitHub repository," said Andrey Goder, Partner Software Engineer at Microsoft. "Independent validation artifacts, including the OCP SAFE audit report, are also being published to support community review."
What This Means for Cloud Security
For regulated industries—finance, healthcare, government—the ability to inspect and validate cryptographic hardware is critical. "Sovereign cloud scenarios require independent verification of security controls," noted John Kindervag, founder of Zero Trust security. "Microsoft's move reduces reliance on vendor assertions and strengthens trust in the entire cloud ecosystem."
Open-sourcing the HSM also helps reduce proprietary vendor lock-in. By making the design transparent, Azure enables external researchers to identify potential vulnerabilities, leading to stronger security for all users. This aligns with growing demand for verifiable infrastructure as AI workloads become more autonomous.
"At a time when cryptographic trust underpins everything from AI inference to national digital infrastructure, open sourcing the HSM is a significant step toward a more transparent cloud," the company said in its announcement.