Microsoft has selected Marvell’s LiquidSecurity hardware security modules to power its Azure Cloud HSM service, extending a partnership that already spans Azure Key Vault and Managed HSM. The move embeds PCIe-attached, FIPS 140-3 Level 3 validated HSMs into Microsoft’s single-tenant HSM clusters, marking a significant shift from traditional 1U/2U appliances toward cloud-optimized, card-based cryptography.
Announced on August 18, 2025, the integration cements a multi-year collaboration between the two companies. Marvell’s LiquidSecurity HSMs have long underpinned Microsoft’s managed key vault offerings, but Azure Cloud HSM is a different beast: a customer-owned, single-tenant service where tenants retain administrative control of cryptographic keys while Microsoft handles cluster availability, patching, and lifecycle operations. The addition of LiquidSecurity cards promises denser key storage, higher throughput, and lower operational overhead for both the cloud provider and its customers.
Why This Announcement Matters Now
For enterprises shackled by regulatory demands, FIPS 140-3 Level 3 is often a non-negotiable procurement checkbox. By embedding a validated HSM platform directly into Azure’s managed single-tenant clusters, Microsoft removes a major barrier to migrating public key infrastructure (PKI), payment processing, certificate authority (CA) signing, and other high-assurance workloads to the cloud.
The economic argument is equally compelling. PCIe host-attached HSM cards aim to slash rack footprint, power consumption, and per-operation costs compared with legacy networked appliances. At hyperscale, those savings multiply. Marvell claims a single LiquidSecurity2 (LS2) card can manage up to 100,000 key pairs and process more than one million cryptographic operations per second. If those figures hold under real-world conditions, cloud providers can service far more tenants with far fewer physical resources.
Equally important is the operational model. Azure Cloud HSM gives customers full administrative control over their keys—a critical requirement for many regulated entities—while offloading the heavy lifting of high availability, firmware updates, and hardware lifecycle management to Microsoft. It’s a middle ground that many enterprises find far more palatable than either fully self-managing appliance fleets or surrendering control to multitenant HSM services.
Inside the LiquidSecurity Architecture
Marvell’s LiquidSecurity line (LS1 and LS2) is not your grandfather’s HSM. Instead of a standalone rack-mount box, it’s a PCIe adapter that plugs directly into a host server. Each card packs Marvell’s OCTEON Data Processing Unit (DPU) along with purpose-built cryptographic accelerators. The design emphasizes three things:
- Reduced network latency: By eliminating the network hop to an external appliance, host-attached HSMs can slash round-trip times for signing, verification, and key derivation operations.
- Multi-tenant partitioning: A single card can expose multiple logical HSM partitions, allowing efficient sharing across tenants without sacrificing hardware-backed isolation.
- Workload offloading: Dedicated silicon shoulders the cryptographic burden, freeing up host CPUs and keeping latency low even under heavy load.
Marvell’s published specifications for the LS2 are eye-popping: 100,000 encryption key pairs per card, over one million operations per second (aggregate, algorithm-dependent), and support for up to 45 partitions. These are vendor-stated engineering targets that have been repeated in press coverage. However, they demand independent verification. No widely available third-party benchmarks reproduce these exact numbers, and performance will vary based on algorithm mix, payload size, and concurrency patterns. Procurement teams should treat these figures as directional until they run their own pilot tests.
FIPS 140-3 Level 3: What the Certification Actually Means
FIPS 140-3 Level 3 is the highest security level realistically achievable in a cloud HSM service. It mandates tamper-evidence and tamper-response mechanisms, robust role separation, and stringent physical security. For Azure Cloud HSM, this certification means the hardware module will actively respond to physical attacks, cryptographic keys are confined within a validated hardware boundary, and the system meets a long list of NIST requirements.
Crucially, FIPS 140-3 validation is scoped to a specific module and firmware combination. Microsoft represents Azure Cloud HSM as FIPS 140-3 Level 3 validated, but customers must confirm the exact SKU, firmware version, and region they intend to use. The certification does not automatically cover future firmware updates unless they are themselves re-validated or the vendor maintains a validated update path.
Operational Implications for Azure Customers
Latency and Throughput Fit
Host-attached HSMs shine brightest when workloads are latency-sensitive and involve many small cryptographic operations. Think TLS termination, code signing pipelines, device attestation, and high-frequency transaction signing. If your workload leans on bulk symmetric encryption or infrequent key usage, the PCIe advantage may be less dramatic. Before migrating, run representative end-to-end tests: measure p50, p95, and p99 latency for signing operations, throughput for parallel requests, and host CPU utilization relative to HSM throughput.
Administrative Control, Backups, and Logging
Azure Cloud HSM’s single-tenant model puts you in the driver’s seat for key management. But you still need to nail down:
- Backup and restore semantics: Who controls backup encryption? What’s the restore process? Can backups be replicated across regions?
- Key export policies: Under what circumstances are keys exportable? Are there irrevocable non-exportable key types?
- Audit trails: Ensure logs capture all administrative actions and meet your regulatory retention requirements.
Negotiate these details in your service agreement and validate them during a pilot.
Firmware Updates and Cryptographic Agility
HSMs are long-lived infrastructure. They must survive firmware updates, algorithm deprecations, and the eventual arrival of post-quantum cryptography (PQC). Demand a clear firmware update procedure, an SLA that preserves key continuity, and a roadmap for PQC algorithm support. Confirm whether in-field updates can be applied without breaking FIPS compliance or requiring re-certification.
Market and Strategic Analysis
For Microsoft, the decision to adopt PCIe-based HSMs is a strategic play. It allows Azure to scale Cloud HSM capacity with higher density and lower energy costs, better serve regulated and sovereign cloud customers, and build a hardware foundation that can accelerate confidential computing initiatives. The partnership also puts Marvell’s LiquidSecurity at the heart of one of the world’s largest cloud platforms, providing a powerful reference that other hyperscalers may follow.
For Marvell, the win validates its cloud-optimized HSM strategy. The company has long argued that DPU-powered, host-attached modules are the future of cryptographic infrastructure, and a marquee deployment inside Azure Cloud HSM lends serious weight to that claim. Marvell also benefits from the growing HSM-as-a-service market, which ABI Research projects will grow at an 8.5% compound annual rate through 2029.
The broader market is shifting. Hyperscaler adoption of PCIe HSMs will accelerate the transition from appliance purchases to subscription-based cryptographic services. Competing hardware vendors will likely pursue similar validations and publish independent performance benchmarks. Procurement teams, meanwhile, should start demanding multi-vendor options or contractual fallbacks to mitigate concentration risk.
Risks and Caveats to Watch
The Marvell-Microsoft pairing is compelling, but it’s not without risk.
- Vendor concentration: Tying a hyperscale HSM service to a single hardware vendor creates systemic exposure. A firmware vulnerability or supply-chain disruption affecting LiquidSecurity modules could ripple across thousands of tenants. Evaluate multi-vendor strategies and contractual protections.
- Performance claims need validation: Marvell’s 1M ops/sec and 100K key pair figures are impressive, but they remain vendor-stated until independent benchmarks surface. Run your own tests.
- Certification scope: FIPS 140-3 Level 3 is not a blanket certification. Confirm the validated module, firmware build, and physical SKU for your target region.
- Post-quantum readiness: HSMs deployed today must support PQC algorithms tomorrow. Insist on a concrete roadmap and field-upgrade capability.
- Operational SLAs: Patching, incident response, and key zeroization are now in Microsoft’s hands. Negotiate clear SLAs for patch windows, vulnerability disclosure timelines, and remediation commitments.
A Practical Procurement Checklist
For security architects and IT buyers evaluating Azure Cloud HSM with LiquidSecurity, the following steps are non-negotiable:
- Confirm certification scope: Get the exact HSM SKU and firmware version that are FIPS 140-3 Level 3 validated for your intended region and Azure environment.
- Benchmark your workloads: Run pilot tests with representative traffic—AES-GCM bulk encryption, ECC/RSA signing rates, KMIP/PKCS#11 operations—and measure latency percentiles, throughput, and host CPU cost.
- Validate operational controls: Verify backup/restore, key export rules, audit log access, and cluster failover behavior under load.
- Negotiate SLAs: Include patching windows, vulnerability disclosure timelines, and remediation SLAs tied to production impact.
- Assess cryptographic agility: Demand a PQC support roadmap and test the firmware update process in a non-production environment before going live.
- Plan for vendor risk: Build contingency plans that consider multi-vendor architectures, migration timelines, and contractual remedies for supply or security incidents.
Conclusion
Microsoft’s selection of Marvell LiquidSecurity HSMs for Azure Cloud HSM is a watershed moment for cloud-native cryptography. It pairs FIPS 140-3 Level 3 validation with a PCIe-attached architecture built for hyperscale, offering a credible path for regulated, latency-sensitive workloads to move to a fully managed cloud model without surrendering administrative control.
But the announcement also underscores the need for rigorous due diligence. Vendor-stated performance numbers must be stress-tested. Certification scopes must be verified. Operational processes must be baked into enforceable SLAs. For organizations that take those steps, the combination of Azure’s single-tenant cluster model and Marvell’s DPU-powered HSMs could unblock a wave of high-assurance cloud migrations. For the rest, it’s a reminder that in the HSM-as-a-service era, trust is earned through transparency and testing.