Skip to main content
This guide provides a comprehensive walkthrough for setting up a secp256k1 signing key in an Azure Key Vault (Premium SKU) and using it to sign Hedera Hashgraph transactions with a Node.js application. It incorporates solutions to common Azure CLI and SDK integration issues.

Part 1: Azure Infrastructure Setup (CLI)

These steps will configure all the necessary cloud resources using the Azure CLI.

1. Prerequisites

2. Login and Set Subscription

First, log in to your Azure account and set the subscription you want to use.

3. Create a Resource Group

A resource group is a container for all your project’s Azure resources.

4. Register the Key Vault Provider

Your subscription must be registered to use the Key Vault service. This step prevents the MissingSubscriptionRegistration error.

5. Create a Premium Key Vault

To use HSM-backed keys (EC-HSM), you must use the Premium SKU. This prevents the HardwareKeysNotSupported error. The Key Vault name must be globally unique.

6. Create the HSM-Backed Key

Now, create the EC-HSM key. Before you do, you must grant your own user account permission to create keys in the vault. This prevents the Forbidden error during key creation.

7. Create a Service Principal

Create a service principal to authenticate with Azure.
This will output a JSON object. Save the appId, password, and tenant values for your .env file later.

8. Grant Service Principal Access

Grant the service principal the “Key Vault Crypto User” role. This role allows it to get the public key and perform sign operations. We use the --assignee flag with the service principal’s appId to avoid argument errors.

Part 2: Running the Script

Now that the Azure infrastructure is ready, you can configure and run the application.

1. Install Dependencies

In your project directory, install the necessary Azure packages.

2. Create the .env File

Create a file named .env and populate it with your credentials.

3. Run the azure-hedera-hsm.js Script

Finally, execute the script.
You should see a successful run, creating an account and signing a transaction using your Azure HSM key.

Part 3: Verification and Cleanup

1. Verify HSM Usage

To confirm that the key is HSM-protected, run this command.
The output must be "EC-HSM".

2. Cleanup

To delete all the created resources, simply delete the resource group.

Resources