# Using a Cloud HSM

A cloud Hardware Security Module (HSM) provides a good balance between security and accessibility. A cloud HSM can manage a Celo private key and can be used seamlessly with celocli and contractkit. Similar to a ledger device, a key in an HSM avoids the key from ever being sent over the network or stored on disk since the key can never leave the hardware boundary and all signing is performed within the HSM. To authenticate to the HSM, it's recommended to create a service principal account that has been granted access to sign with the managed keys. A cloud HSM can be a great option for managing vote signer keys, since you may want these keys to be portable but also maintain good security practices. This guide will walk you through creating a cloud HSM in Azure and connecting it to celocli.

## Connecting CeloCLI to KeyVault#

Now that your environment variables are set, we just need to let celocli know that we want to use this Key Vault signer. We do this by passing in the flag --useAKV and --azureVaultName. Similar to --useLedger, all CLI commands will use the HSM signer when --useAKV is specified.

# On your local machinecelocli account:list --useAKV --azureVaultName $AZURE_VAULT_NAME Your Key Vault address will show up under "Local Addresses". If you'd like to use this key as your vote signer key, you can follow this guide and replace --useLedger with --useAKV --azureVaultName$AZURE_VAULT_NAME.

## Connecting ContractKit to KeyVault#

To leverage your HSM keys in contractkit, first create an AzureHSMWallet object and use it to create a ContractKit object with newKitFromWeb3. Note that AzureHSMWallet expects AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID environment variables to be specified.

import { ContractKit, newKitFromWeb3 } from '@celo/contractkit'import { AzureHSMWallet } from '@celo/wallet-hsm-azure'
const azureVaultName = "AZURE-VAULT-NAME"const akvWallet = await new AzureHSMWallet(azureVaultName)await akvWallet.init()console.log(Found addresses: \${await akvWallet.getAccounts()})const contractKit = newKitFromWeb3(this.web3, akvWallet)

## Summary#

You can now leverage a cloud HSM key to perform signing as a user or application. This improves both security and availability of your Celo keys. We also recommend enabling two-factor authentication across your Azure subscription and to leverage Managed Service Identities where possible.