KMES Series 3

Enterprise-class key and certificate management

Key Management System KMES 3
Complete lifecycle management with full automation

Key management system

The Key Management Enterprise Server (KMES) Series 3 is a powerful and scalable key management system. It enables organizations to manage cryptographic keys, digital certificates, and other encrypted data. Its key management processes can establish an offline root CA to form a public key infrastructure (PKI) for mutual authentication and digital signing operations.

The KMES Series 3 contains a built-in FIPS 140-2 Level 3-certified hardware security module (HSM) to handle cryptographic operations. Available on-premises and in the cloud, the KMES Series 3 is an all-in-one-box solution with endless key management use cases.

Sales brochureTalk to an expert

Data protection

  • Application encryption
  • File encryption
  • Database encryption
  • 3rd party application integration

Vaultless tokenization

  • Prevent data theft through tokenization
  • Format-preserving encryption (FPE)
  • Reduce PCI DSS scope and cost

Enterprise PKI

  • Certificate hierarchy and revocation (CRL and OCSP)
  • Enterprise and IoT certificate issuing
  • Define X.509 v3 certificate extensions
  • Hybrid quantum-safe certificate authority

Cloud key management

  • Encryption key lifecycle management
  • Bring Your Own Key (BYOK)
  • Encrypted key transfer

Financial key management

  • Remote key loading and rotation
  • Point-to-point encryption (P2PE)
  • Create, store, encrypt, and sign keys

Digital signing

  • E-Invoice, device, and code signing
  • Offline CA and registration authority
  • EMV certificate authority (CA)

Automate repetitive key management tasks and set automatic backups for encryption keys, databases, and logs by using the GUI or an API

Multi-application support

Segregated encryption key containers enable a single, logically-isolated cryptographic resource pool for multiple applications


Construct a highly available network of encryption key management devices with automatic key and certificate synchronization

Why choose the KMES Series 3?

The KMES Series 3 can replace any obsolete encryption algorithm in real-time, with ongoing support for emerging algorithms. From securing private keys to authenticating entire networks of devices, the KMES Series 3 can generate symmetric and asymmetric key pairs. Its key and certificate lifecycle management capabilities make it easy to strengthen data security, digitally sign objects and code, and establish a secure PKI.

Click diagram to enlarge

Centralized key management platform

All-in-one versatile key management platform delivering encryption, integration, and public key infrastructure (PKI).

High availability with automatic synchronization

Create a highly available cluster of key management devices with automatic data synchronization ensuring no single point of failure. Pair with the Guardian Series 3 for load balancing.

Robust, versatile API for programmatic automation

Programmatically automate repetitive tasks such as creating groups, encryption keys, certificates, signatures, and testing communication.

PCI-compliant remote key distribution

Remotely inject encryption keys into ATM, POS, and mPOS devices, reducing the logistical burden associated with direct encryption key injection, meeting industry and regulatory standards.
Related: VirtuCrypt cloud

Check out our cloud key management service backed by the KMES series 3.

See it now

Related: Key lifecycle management

Learn more about encryption key lifecycle management with the KMES Series 3.

See it now

Simple, secure key management

Symmetric and asymmetric key management for 3DES DUKPT, X.509 v3, EMV and support for X9.17, AKB, and TR-31 (including custom optional fields) key block formats.

Customizable, role-based access management

Versatile, permission-based user access control system to enforce dual control and segregation of duties with exportable user activity logs.

Ease of use

Fully-functional graphical user interface (GUI), with no command-line tasks required for initial setup, regular auditing, firmware upgrades, or maintenance.

Versatile PKI functionality

Supports mutual authentication under a trusted offline root CA and generates and manages self-signed certificates to establish a trusted public key infrastructure (PKI).

Nth degree scalability

Highly scalable key management platform with automatic synchronization of objects with other Futurex devices centrally managed by the Guardian Series 3.

Automate auditing and reporting

Customizable reporting with automatic signing and transmission of activity logs to a remote syslog server for internal and external audits.

Multi-purpose and standards-compliant

Versatile key management solutions for enterprise and financial uses.

KMES Series 3 specifications

Hardware features

  • Dual control-enabled, tamper-responsive
  • Smart card reader for M-of-N key fragmentation and dual-factor authentication
  • Dual, redundant gigabit Ethernet ports
  • Dual, redundant, hot-swappable power supplies
  • Automated, internal RAID-based backup of object management applications and databases

Operating conditions

  • Power: 100 – 240 VAC 50/60 Hz. 225 Watts
  • Operating temp: -40° to 140°F (-40° to 60°C)
  • Storage temp: -40° to 140°F (-40° to 60°C)
  • Operating humidity: 20% to 80% non-condensing
  • Storage humidity: 5% to 95% non-condensing

Dimensions and weight

  • Weight: 40.5 lbs (18.4 kg)
  • Width: 19 inches (48.3 cm)
  • Height: 2U – 3.47 inches (8.81 cm)
  • Depth: 22.3 inches (56.7 cm)

Powering the VirtuCrypt cloud

VirtuCrypt key management services are backed by the KMES Series 3 with hardened, FIPS 140-2 Level 3 validated technology. Whether an organization requires complete infrastructure management or simply more functionality for existing Futurex infrastructure, VirtuCrypt offers a variety of service structures designed to meet security requirements.

VirtuCrypt services

Industry compliance standards

  • FIPS 140-2 Level 3
  • EMVCo
  • ANS X9.24 – Part 1 and Part 2
  • RoHS
  • FCC Class B – Part 15
  • Applicable future compliance mandates

Key types and protocols

  • DES
  • Triple DES
  • X.509 v3
  • AES
  • RSA
  • EMVCo
  • KMIP

EMV certificate management

  • All major card brands supported
  • Issuer self-signed certificate creation and export
  • Creates ICC certificates to EMVCo specifications

Want to learn more?

Contact a Solutions Architect today.

Give us a call