Can A Virtual Hsm Generate Dukpt Keys

Dukpt.NET is a C# implementation of the Derived Unique Key Per Transaction (DUKPT) process that's described in Annex A of ANS X9.24-2004. To install Dukpt.NET, run the following command in the Package Manager Console: PM Install-Package Dukpt Usage.


For added assurance, when you use Azure Key Vault, you can import or generate keys in hardware security modules (HSMs) that never leave the HSM boundary. This scenario is often referred to as bring your own key, or BYOK. Azure Key Vault uses nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.

This functionality is not available for Azure China 21Vianet.


For more information about Azure Key Vault, see What is Azure Key Vault?
For a getting started tutorial, which includes creating a key vault for HSM-protected keys, see What is Azure Key Vault?.

Supported HSMs

Transferring HSM-protected keys to Key Vault is supported via two different methods depending on the HSMs you use. Use the table below to determine which method should be used for your HSMs to generate, and then transfer your own HSM-protected keys to use with Azure Key Vault.

Vendor NameVendor TypeSupported HSM modelsSupported HSM-key transfer method
  • nShield family of HSMs
Use legacy BYOK method
  • SafeNet Luna HSM 7 family with firmware version 7.3 or newer
Use new BYOK method (preview)
FortanixHSM as a Service
  • Self-Defending Key Management Service (SDKMS)
Use new BYOK method (preview)

Next steps

Can A Virtual Hsm Generate Dukpt Keys Download


Can A Virtual Hsm Generate Dukpt Keys Video

Follow Key Vault Best Practices to ensure security, durability and monitoring for your keys.