Skip to content
Check out the CryptoHub press release.
  • There are no suggestions because the search field is empty.
Check out the CryptoHub press release.

KMES Series 3

Enterprise-class encryption key management system

kmes series 3 key management system (KMS)

Key Management System for Any Need

The Key Management Enterprise Server (KMES) Series 3 is a powerful and scalable key management solution. It unites every possible encryption key use case from root CA to PKI to BYOK. Automate and script key lifecycle routines. Secure private keys with a built-in FIPS 140-2 Level 3 validated HSM. Deploy it on-premises for hands-on control, or in the cloud for native integration with public cloud providers. The KMES Series 3 is the last word on encryption key management and is the cornerstone of enterprise cryptographic ecosystems around the world.

Use Cases

Cloud Key Management

  • Unlimited scalability in the cloud
  • Native integration with public cloud providers
  • Bring Your Own Key (BYOK)
  • External key management (EKM)
  • Client-side encryption (CSE)

Data Protection

  • Integrate application encryption into software
  • Secure databases with transparent data encryption (TDE)
  • Drag-and-drop files for automatic encryption
  • Tokenize data without token vaults to limit compliance scope
  • Support for PKCS #11, JCA/JCE, Open SSL, and much more

PKI and CA

  • Establish an offline root CA for foundational security
  • Manage certificate lifecycles with an issuing CA
  • Encrypt communication between network devices
  • Define CRLs and OCSPs to improve management
  • Manage signatures to authenticate digital objects

Code Signing

  • Issue certificates to authenticate code
  • Automate your enterprise code signing operations
  • Digitally sign firmware to enhance security
  • Integrate with Microsoft Authenticode or Java jarsigner

Payment Key Management

  • Load and rotate keys remotely (RKL)
  • Establish point-to-point encryption (P2PE)
  • Create, store, encrypt, and sign payment keys

Key Benefits

icon-atm cloud


Manage encryption key lifecycles efficiently with sophisticated automation and scripting options. Reduce the manual effort involved with automated backups.


Multi-application support

Establish a logically isolated cryptographic resource pool to be shared among different applications with the KMES Series 3’s segregated key containers.

icon_web safety


Design a highly available network of Futurex devices which communicate via a common code base to synchronize encryption keys and certificates.

Why Choose the KMES Series 3?

The KMES Series 3 stands alone among key management solutions. It is a dynamic, all-in-one key management tool with support for all common vendor-neutral APIs, flexible automation and scripting capabilities, and an embedded FIPS 140-2 Level 3 validated HSM.

Centralized key management

On its own, the KMES Series 3 manages keys across an enterprise, delivering PKI and CA. Integrating it with other HSMs multiplies its effectiveness.


The KMES gives you the flexibility for isolated data, configuration, and user interface multi-tenancy environments, making it a powerhouse of cryptographic infrastructure.

icon_certificate folder
Programmatic automation

With the KMES you can automate tasks like creating groups, rotating keys, revoking certificates, signing objects, and testing communication with granular detail.

Embedded HSM handles encryption

The KMES contains an embedded Futurex HSM certified under FIPS 140-2 Level 3 and PCI PTS HSM.

key lifecycle management diagram

Key Management & Access Control Solution for Secure Transactions


Simple, secure key management

Symmetric & asymmetric key management for 3DES DUKPT, X.509 v3, EMV and support for X9.17, AKB, and TR-31 (with custom fields).


Role-based access management

Permission-based user access control enforces dual control and segregation of duties. Includes exportable user activity logs.

icon_web safety

Ease of use

The intuitive user interface doesn’t require command-line tasks for initial setup, regular auditing, firmware upgrades, or maintenance.


Versatile PKI functionality

The KMES supports mutual authentication under an offline root CA. It can generate and manage self-signed certificates to establish a trusted PKI.

icon_key lifecycle

PCI-compliant remote key distribution

Remotely distribute keys across ATMs and POS devices (including mobile POS) to reduce logistical and compliance burdens.

icon_web safety

Custom auditing and reporting

Automatically sign and send activity logs to a remote syslog server for internal and external audits.

Frequently Asked Questions

What are the KMES Series 3 specifications?

  • Dimensions and weight:
    - Height: 2U – 3.5 inches (8.9 cm)
    - Length: 24.63 inches (62.56 cm)
    - Width: 19 inches (48.3 cm)
    - Weight: 43.5 lbs. (19.73 kg)

  • Hardware features:
    - Dual control-enabled, tamper-responsive
    - Smart card reader for M-of-N key fragmentation and dual-factor authentication
    - Dual, redundant gigabit Ethernet ports
    - Dual, redundant, hot-swappable power supplies
    - Automated, internal RAID-based backup of object management applications and databases

  • Operating conditions:
    - Power Supply Configuration: Standard AC with two redundant, hot-swappable supplies
    - Voltage: 90 VAC – 264 VAC
    - Frequency: 47 Hz – 63 Hz
    - Maximum Current (115/230 VAC): 12 / 6
    - Efficiency: 80% (minimum)
    - Operating temperature: 50° – 95°F (10° – 35°C)
    - Storage temperature: 5° – 140°F (-15° – 60°C)
    - Operating relative humidity: 20% – 80% (RH non-condensing)
    - Storage relative humidity: 10% – 85% (RH non-condensing)

  • Unit includes:
    - Application CD
    - Rack-mount installation kit
    - Two sets of two barrel keys
    - Four smart cards
    - Two power cables

What are the supported compliance standards, protocols, key types, and certificates?

  • Industry compliance standards:
    - FIPS 140-2 Level 3
    - EMVCo
    - PCI DSS
    - ANS X9.24 – Part 1 and Part 2
    - RoHS
    - FCC Class B – Part 15
    - Applicable future compliance mandates

  • Key types and protocols:
    - DES
    - Triple DES
    - DUKPT
    - X.509 v3
    - AES
    - RSA
    - EMVCo
    - KMIP

  • EMV certificate management:
    - All major card brands supported
    - Issuer self-signed certificate creation and export
    - Creates ICC certificates to EMVCo specifications

How does key management work?

Key management is the cryptographic process of creating, distributing, storing, and destroying encryption keys. The process is carried out with cryptographic technology such as hardware security modules (HSMs) and key management servers.

An encryption key is a string of bits created by a key generation algorithm. The algorithm is processed in hardware within the physically secure boundary of an HSM. The HSM circuit board features a hardware-based, independent random number generator (RNG) that randomizes the bits in the key. After the key is created, it can be used in an encryption algorithm to encrypt data, making it unreadable to unauthorized parties.

What is a key management server?

A key management server is cryptographic hardware designed to handle every aspect and use case related to key management. That includes creating encryption keys, storing them, managing the policies that determine key rotation and deletion, encrypting the keys, and digitally signing them. Beyond dealing with individual keys, Futurex key management servers can easily establish a certificate authority (CA), a logical entity which creates and issues digital certificates. Certificates can be used to create trust throughout entire networks by providing a secure way to authenticate users, devices, and documents. The key management server also establishes policies to help manage CAs, creating public key infrastructure (PKI) on an enterprise level.

Are key management servers different from HSMs?

As a crucial cryptographic operation, key management functions are usually performed within the physically secure boundaries of HSMs. As such, some HSMs can fulfill key management use cases. Futurex key management servers are cryptographic hardware dedicated to key management. This means they have the same level of physical and logical security as HSMs, but their architecture is specially designed to fulfill every key management use case an enterprise might need.

What’s the best way to deploy key management solutions?

Step one: talk to a trusted vendor. Step two: look for a centralized solution. For example, Futurex’s KMES Series 3 was designed to give our customers exactly what they wanted in a key management solution: a one-stop-shop for all key management use cases. From PKI and CA to automatic key rotation and digital signing, the KMES can not only deploy any key management functionality, it can scale to manage keys on an enterprise level. All from a single, central platform deployed on-premises or in the cloud.

What kind of encryption does the KMES Series 3 support?

The KMES Series 3 delivers unmatched flexibility and performance. It supports every major encryption algorithm, whether symmetric, asymmetric, hashing, or elliptic curve. Thanks to its flexible code base, it can be quickly configured to support new and emerging algorithms as well. Bit length is easily configurable, from AES 256 or RSA 8192-bit.

Does key management have to be hardware-backed? What about software solutions?

There’s a big difference between running a key management software application on your computer, and integrating a key management server with your IT infrastructure. With a hardware-backed solution like an HSM or key management server, dedicated components on the circuit board perform encryption functions, taking the processing load away from the CPU. Encryption keys are also stored within dedicated hardware components. All of these components are protected by a physically secure, tamper-resistant boundary.

On the other hand, software-based key management is implemented through software applications running on the host’s CPU. The software application uses the CPU to execute encryption algorithms. With software, encryption keys are stored in the computer’s memory or storage device, posing a major security risk (among others).

Featured Resources

“Our customers trust us to provide rapid, reliable, and secure retail services, and Futurex enables our key injection systems that are a crucial component of this.” 


- Anthony Siracuse, CEO


Enterprise Data Encryption Solutions

Futurex provides HSMs and key management servers that handle encryption, bring-your-own-key (BYOK). Futurex helps enterprise organizations deploy a modern cloud data security environment that complies with the latest standards and regulations.

wells fargo
RBC_Bank logo