KMES Series 3

Encryption key management system

Key Management System KMES 3
Key lifecycle, CA, and PKI solutions

Enterprise-class key management system

The Key Management Enterprise Server (KMES) Series 3 is a powerful and scalable key management system. Manage cryptographic keys, digital certificates, and other encrypted data. It can establish an offline root CA to form a public key infrastructure (PKI) for mutual authentication and digital signing operations. The KMES Series 3 contains a built-in FIPS 140-2 Level 3-certified hardware security module (HSM) to handle cryptographic operations. Available on-premises and in the cloud, the KMES Series 3 is an all-in-one solution to protect sensitive data.

Sales brochureTalk to an expert

Cloud key management

  • Interface with public cloud providers: AWS, GCP, Azure
  • Externalize key management, on-premises or in the cloud
  • Bring Your Own Key (BYOK)
  • External key management (EKM)
  • Client-side encryption (CSE)

Data protection

  • Application encryption: integrate encryption functionality into software
  • Transparent data encryption (TDE): secure databases
  • File encryption: automatic drag-and-drop encryption
  • Vaultless tokenization: enhance protection and limit compliance scope
  • Support for common cryptographic interfaces: PKCS #11, JCA/JCE, Open SSL, etc.

PKI and CA

  • Offline root CA: establish root of trust
  • Issuing CA: manage certificate lifecycles
  • Encrypted network communication
  • Certificate hierarchy and revocation (CRL and OCSP)
  • Authenticate objects throughout distributed network

Code signing

  • Authenticate code
  • Automate code signing operations
  • Sign firmware to thwart hacking attempts
  • Integrate with Microsoft Authenticode or Java Developer Kit’s jarsigner tool

Payment key management

  • Remote key loading and rotation
  • Point-to-point encryption (P2PE)
  • Create, store, encrypt, and sign keys

Automate repetitive key management tasks and set automatic backups for encryption keys, databases, and logs.

Multi-application support

Segregated key containers enable a single, logically-isolated cryptographic resource pool for multiple applications.


Construct a highly available network of key management devices with automatic key and certificate synchronization.

Why choose the KMES Series 3?

The KMES Series 3 is the last word on key lifecycle management. With vendor neutral APIs, automation and scripting capabilities, and an embedded FIPS 140-2 Level 3 validated HSM, the KMES Series 3 forms the cornerstone of your enterprise security infrastructure.

From managing specific keys to authenticating entire networks of devices, the KMES’s key and certificate lifecycle management capabilities make it easy to strengthen data security, digitally sign objects and code, and establish a secure PKI.

Click diagram to enlarge

Centralized key management platform

All-in-one versatile key management platform delivering encryption, HSM integration, and public key infrastructure (PKI).

Multi-tenancy environments

The KMES is conducive to multi-tenancy environments, and serves as the key-management powerhouse in any cryptographic infrastructure.

Programmatic automation with flexible APIs

Automate repetitive tasks such as creating groups, encryption keys, certificates, signatures, and testing communication.

Embedded HSM handles encryption

The KMES Series 3 contains an embedded, FIPS 140-2 Level 3 validated HSM which provides a secure method of encrypting data.
Related: Externalized key management

Control your own keys using BYOK, EKM, and CSE. The highest level of security.

See it now

Related: Key lifecycle management

Learn more about encryption key lifecycle management with the KMES Series 3.

See it now

Simple, secure key management

Symmetric and asymmetric key management for 3DES DUKPT, X.509 v3, EMV and support for X9.17, AKB, and TR-31 (including custom optional fields) key block formats.

Customizable, role-based access management

Versatile, permission-based user access control system to enforce dual control and segregation of duties with exportable user activity logs.

Ease of use

Simple graphical user interface (GUI) with no command-line tasks required for initial setup, regular auditing, firmware upgrades, or maintenance.

Versatile PKI functionality

Supports mutual authentication under a trusted offline root CA and generates and manages self-signed certificates to establish a trusted public key infrastructure (PKI).

PCI-compliant remote key distribution

Remotely inject encryption keys into ATM, POS, and mobile POS devices, reducing the logistical burden associated with direct encryption key injection, meeting industry and regulatory standards.

Automate auditing and reporting

Customizable reporting with automatic signing and transmission of activity logs to a remote syslog server for internal and external audits.

Multi-purpose and standards-compliant

Versatile key management solutions for enterprise and financial uses.

KMES Series 3 specifications

Hardware features

  • Dual control-enabled, tamper-responsive
  • Smart card reader for M-of-N key fragmentation and dual-factor authentication
  • Dual, redundant gigabit Ethernet ports
  • Dual, redundant, hot-swappable power supplies
  • Automated, internal RAID-based backup of object management applications and databases

External hardware requirements

  • Keyboard: Standard USB
  • Mouse: Standard USB
  • Video: Standard SVGA 1024×768 at 75Hz refresh
  • PostScript-compatible printer for key printing (Optional)

Operating conditions

  • Power Supply Configuration: Standard AC with two redundant, hot-swappable supplies
  • Voltage: 90 VAC – 264 VAC
  • Frequency: 47 Hz – 63 Hz
  • Maximum Current (115/230 VAC): 12 / 6
  • Efficiency: 80% (minimum)
  • Operating temperature: 50° – 95°F (10° – 35°C)
  • Storage temperature: 5° – 140°F (-15° – 60°C)
  • Operating relative humidity: 20% – 80% (RH non-condensing)
  • Storage relative humidity: 10% – 85% (RH non-condensing)

Dimensions and weight

  • Height: 2U – 3.5 inches (8.9 cm)
  • Length: 24.63 inches (62.56 cm)
  • Width: 19 inches (48.3 cm)
  • Weight: 43.5 lbs. (19.73 kg)

Unit includes

  • Application CD
  • Rack mount installation kit
  • Two sets of two barrel keys
  • Four smart cards
  • Two power cables

Powering the VirtuCrypt cloud

VirtuCrypt key management services are backed by the KMES Series 3 with hardened, FIPS 140-2 Level 3 validated technology. Whether an organization requires complete infrastructure management or simply more functionality for existing Futurex infrastructure, VirtuCrypt offers a variety of service structures designed to meet security requirements.

VirtuCrypt services

Industry compliance standards

  • FIPS 140-2 Level 3
  • EMVCo
  • ANS X9.24 – Part 1 and Part 2
  • RoHS
  • FCC Class B – Part 15
  • Applicable future compliance mandates

Key types and protocols

  • DES
  • Triple DES
  • X.509 v3
  • AES
  • RSA
  • EMVCo
  • KMIP

EMV certificate management

  • All major card brands supported
  • Issuer self-signed certificate creation and export
  • Creates ICC certificates to EMVCo specifications

Want to learn more?

Contact a Solutions Architect today.

Give us a call