
MSFT stock is going to the moon!
The company has totally got its mojo back under Satya.
Day two of Microsoft's Build conference was focused on Azure, the company's cloud platform, with new features announced and preview features moving to general availability. Top of the list is Azure Functions, a new service which lets you write code that runs in response to various triggers, such as an HTTP request, a file …
It would appear it uses Key Vault, which is a Thales FIPS 140-2 Level 2 certified hardware HSM-backed key storage and cryptography mechanism. You can certainly upload your keys to Key Vault, and do it very securely using HSM to HSM transfer from your private network. I BELIEVE (do NOT take this as gospel truth - you're on your own here!) that by using this HSM module, Microsoft themselves do not have access to your keys - the key never leaves the HSM box and is not able to be exported from there by anyone. The HSM box therefore handles the necessary encryption tasks.
It's also possible for you to encrypt the keys you put in there yourself, although I'm not sure how well that would play with the built-in encryption at rest scenario.
See http://tomkerkhove.ghost.io/2015/07/22/securing-sensitive-data-with-azure-key-vault/ for some more details and links