This document presents the features and general theory of nCipher nShield HSMs and how they are used to secure customers' keys as part of Microsoft Azure Key Vault. The paper further presents the methods that Microsoft chose in using nCipher HSMs for bring your own key (BYOK), and make connections between product features, the Azure Key Vault application, and the security model that results. Our goal is to inform the reader on the technology and methods deployed by Microsoft to protect Azure users' data in the cloud.