SealSign integration with the Azure Key Vault


ElevenPaths and Microsoft, thanks to Gradiant technology, have integrated the Azure Key Vault into the SealSign platform. This partnership provides a server-based digital signature and certificate safekeeping service, based on HSM, with a high degree of security, scalability and performance.


The use of secure cryptographic hardware or HSM (Hardware Security Module) provides a very adequate mechanism to safeguard and protect keys (in the fashion of a safe-deposit box). However, the cost and complexity related to installation and configuration hinder greater adoption of this hardware. For this reason, some as-a-service solutions have emerged, such as the Azure Key Vault, which offer the possibility of using HSMs as one more service within a public cloud.

SealSign® is a scalable, modular and complete enterprise platform developed by ElevenPaths providing electronic document and biometric signatures, digital certificate safekeeping, and long-term archiving of signed documents. This platform configures different cryptographic providers through a standard PKCS#11 interface. This makes it possible to securely access certificates and keys stored in HSMs and, thus, to electronically sign documents without compromising the security and privacy of sensitive information.

Azure Key Vault possess an API REST (Representational State Transfer) through which it is possible to perform operations in applications. However, its position as a cryptographic service provider is weakened by its use of more low level protocols, such as PKCS#11. PKCS#11 is a cryptographic token interface (or crypto key) that defines a generic device access API (typically HSM). The PKCS#11 API allows applications to securely access “secrets” stored in devices, for example, to sign documents.

For this reason, Gradiant developed the BlackICE Connect connector based on the PKCS#11 standard. The connector offers a library that incorporates the Azure Key Vault service as a cryptographic provider in SealSign. In this way, it is possible to electronically sign documents in applications and to securely safeguard digital certificates through the Azure Key Vault service. This solution was presented on the occasion of Security Innovation Day 2017, an innovative cybersecurity event organized by ElevenPaths.

This translates into significant savings as, instead of having to acquire and maintain HSMs, it is only necessary to pay for the use that is made of the service (typically based on the number of keys stored and the number of operations performed with them).

The PKCS#11 connector – Azure Key Vault, simulates a cryptographic device environment that exposes a PKCS#11 standard interface to the application that is using it (for example, SealSign). It internally transforms calls to this interface into calls to the Azure Key Vault’s REST service while constantly maintaining the standardized data structures and the coherence of the communications through a virtual slot. In this way, Azure Key Vault behaves transparently as a transparent cryptographic service provider for the application.



About ElevenPaths

In ElevenPaths, Telefónica’s Cyber Security department, we believe that challenging the current state of security should always be an aspect of technology. We continuously question the relationship between security and people in the process of creating innovative products that are capable of transforming the concept of security. In doing so, we strive to stay one step ahead of our attackers, who are ever more present in our digital life.

More information: @ElevenPaths


About Microsoft

Microsoft (Nasdaq “MSFT” @microsoft) is the leading company in platforms and productivity for the “mobile-first, cloud-first” world. Its mission is to help each person and organization in the world to do more in their day-to-day lives.

More information: