Add key management documentation for MSI v2 #5513
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Document the key management logic and responsibilities in MSI v2, including key selection priorities and flow.
Robbie-Microsoft
requested changes
Oct 2, 2025
|
|
||
| ## Key Responsibilities | ||
|
|
||
| - Generate and hold the RSA private key. |
There was a problem hiding this comment.
what does "hold" mean?
| - Generate and hold the RSA private key. | ||
| - Ensure the key is protected to the maximum capability of the platform. | ||
| - Provide the key for signing (CSR, PoP requests, mTLS handshakes). | ||
| - Never allow export if backed by hardware/KeyGuard. |
| - Requires Virtualization-Based Security (VBS). | ||
| - Keys are isolated in a secure enclave. | ||
| - Strongest guarantee that the private key cannot be exfiltrated. | ||
| - Used for Proof-of-Possession (PoP). |
There was a problem hiding this comment.
Why did you only put this here and not the other key types? Every Key type listed here can be used in PoP.
| ### Hardware / TPM / KSP (fallback) | ||
|
|
||
| - Keys are backed by TPM or the Platform Crypto Provider. | ||
| - Non-exportable, tied to the device. |
There was a problem hiding this comment.
KeyGuard is also not exportable, can you add this to the KeyGuard section too?
| - Strongest guarantee that the private key cannot be exfiltrated. | ||
| - Used for Proof-of-Possession (PoP). | ||
|
|
||
| ### Hardware / TPM / KSP (fallback) |
There was a problem hiding this comment.
Can you write out the TPM acronym here?
| KeyProvider-->>KeyProvider: Acquire semaphore | ||
| alt KeyGuard available | ||
| KeyProvider-->>MSAL: KeyGuard key (preferred) | ||
| else Hardware/TPM available |
There was a problem hiding this comment.
add "KeyGuard not available"
| else Hardware/TPM available | ||
| KeyProvider-->>MSAL: Hardware key | ||
| else | ||
| KeyProvider-->>MSAL: In-memory RSA key |
There was a problem hiding this comment.
add "KeyGuard and TPM not available"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Document the key management logic and responsibilities in MSI v2, including key selection priorities and flow.