KMES Series 3

Encryption key management system

Key Management System KMES 3
Much more than an HSM

An enterprise-class key management system

The Key Management Enterprise Server Series 3 is a powerful and scalable key management solution. It unites every possible encryption key use case – from root CA to PKI to BYOK – in a nexus of cryptographic utility. Automate and script key lifecycle routines. Secure private keys with a built-in FIPS 140-2 Level 3 validated HSM. Deploy it on-premises for tamper-proof control, or in the cloud for native integration with public cloud providers. The KMES Series 3 is the last word on encryption key management and is the cornerstone of enterprise cryptographic ecosystems around the world.

Sales brochureTalk to an expert

Cloud key management

  • Unlimited scalability in the cloud
  • Native integration with public cloud providers
  • Bring Your Own Key (BYOK)
  • External key management (EKM)
  • Client-side encryption (CSE)

Data protection

  • Integrate application encryption into software
  • Secure databases with transparent data encryption (TDE)
  • Drag-and-drop files for automatic encryption
  • Tokenize data without token vaults to limit compliance scope
  • Support for PKCS #11, JCA/JCE, Open SSL, and much more

PKI and CA

  • Establish an offline root CA for foundational security
  • Manage certificate lifecycles with an issuing CA
  • Encrypt communication between network devices
  • Define CRLs and OCSPs to improve management
  • Manage signatures to authenticate digital objects

Code signing

  • Issue certificates to authenticate code
  • Automate your enterprise code signing operations
  • Digitally sign firmware to enhance security
  • Integrate with Microsoft Authenticode or Java jarsigner

Payment key management

  • Load and rotate keys remotely (RKL)
  • Establish point-to-point encryption (P2PE)
  • Create, store, encrypt, and sign payment keys

Manage encryption key lifecycles efficiently with sophisticated automation and scripting options. Reduce the manual effort involved with automated backups.

Multi-application support

Establish a logically isolated cryptographic resource pool to be shared among different applications with the KMES Series 3’s segregated key containers.


Design a highly available network of Futurex devices which communicate via a common code base to synchronize encryption keys and certificates.

Why choose the KMES Series 3?

The KMES Series 3 stands alone among key management solutions. It is a dynamic, all-in-one key management tool with support for all common vendor-neutral APIs, flexible automation and scripting capabilities, and an embedded FIPS 140-2 Level 3 validated HSM.

This makes it fast to deploy, easy to integrate, and efficient to manage, all while adhering to the most rigorous physical and logical compliance requirements. With on-premises, cloud, and hybrid deployment options, your key management possibilities are virtually unlimited.

Click diagram to enlarge

Centralized key management

On its own, the KMES Series 3 manages keys across an enterprise, delivering PKI and CA. Integrating it with other HSMs multiplies its effectiveness.


The KMES is designed to work with multi-tenancy environments, making it a powerhouse of cryptographic infrastructure.

Programmatic automation

With the KMES can automate tasks like creating groups, rotating keys, revoking certificates, signing objects, and testing communication with granular detail.

Embedded HSM handles encryption

The KMES contains an embedded Futurex HSM certified under FIPS 140-2 Level 3 and PCI PTS HSM.
Related: Externalized key management

Deploy cloud functions like BYOK, EKM, and CSE to expand your service offerings.

See it now

Related: Key lifecycle management

Learn more about how the KMES manages encryption key lifecycles.

See it now

Simple, secure key management

Symmetric & asymmetric key management for 3DES DUKPT, X.509 v3, EMV and support for X9.17, AKB, and TR-31 (with custom fields).

Role-based access management

Permission-based user access control enforces dual control and segregation of duties. Includes exportable user activity logs.

Ease of use

The intuitive user interface doesn’t require command-line tasks for initial setup, regular auditing, firmware upgrades, or maintenance.

Versatile PKI functionality

The KMES supports mutual authentication under an offline root CA. It can generate and manage self-signed certificates to establish a trusted PKI.

PCI-compliant remote key distribution

Remotely distribute keys across ATMs and POS devices (including mobile POS) to reduce logistical and compliance burdens.

Custom auditing and reporting

Automatically sign and send activity logs to a remote syslog server for internal and external audits.

Multi-purpose and highly compliant

Versatile key management solutions for enterprise and financial use.

Exploring encryption key management systems

Proper management for cryptographic keys

Encryption is most effective when paired with smart encryption key management. But what makes for smart key management? At the end of the day, it comes down to finding a key management tool that centralizes management without compromising encrypted data.

Key management systems evolution

Traditionally, organizations had to manage encryption keys using physical hardware security modules or some form of encryption key management software. Larger enterprises tend to have on-premises data security infrastructure to which they might add a physical key management server. But today, many organizations are migrating their applications to the cloud. This has led to a rise in cloud-based encryption key management systems as a cost-effective alternative to on-premises key management tools.

Key management service deployment considerations

One of the main advantages of an efficient key management tool is centralization. By consolidating cryptographic operations into a single-vendor solution, it streamlines your ability to manage existing data security infrastructure and to deploy new encryption key management use cases, such as remote key loading (RKL), Bring-Your-Own-Key (BYOK), or external key management (EKM). It also allows enterprise organizations to integrate their systems with public cloud providers such as Amazon Web Services (AWS) or Google Cloud Platform (GCP).

Data protection versatility with Futurex

With a trusted solution to manage cryptographic keys like the KMES Series 3, you don’t have to choose between maximal functionality or minimal cost. The inherent flexibility of the key management tool allows you to manage keys and encrypt data from a single hardware security module. It’s just one of many reasons why the KMES Series 3 is a true all-in-one encryption key lifecycle management solution.

KMES Series 3 specifications

Hardware features

  • Dual control-enabled, tamper-responsive
  • Smart card reader for M-of-N key fragmentation and dual-factor authentication
  • Dual, redundant gigabit Ethernet ports
  • Dual, redundant, hot-swappable power supplies
  • Automated, internal RAID-based backup of object management applications and databases

External hardware requirements

  • Keyboard: Standard USB
  • Mouse: Standard USB
  • Video: Standard SVGA 1024×768 at 75Hz refresh
  • PostScript-compatible printer for key printing (Optional)

Operating conditions

  • Power Supply Configuration: Standard AC with two redundant, hot-swappable supplies
  • Voltage: 90 VAC – 264 VAC
  • Frequency: 47 Hz – 63 Hz
  • Maximum Current (115/230 VAC): 12 / 6
  • Efficiency: 80% (minimum)
  • Operating temperature: 50° – 95°F (10° – 35°C)
  • Storage temperature: 5° – 140°F (-15° – 60°C)
  • Operating relative humidity: 20% – 80% (RH non-condensing)
  • Storage relative humidity: 10% – 85% (RH non-condensing)

Dimensions and weight

  • Height: 2U – 3.5 inches (8.9 cm)
  • Length: 24.63 inches (62.56 cm)
  • Width: 19 inches (48.3 cm)
  • Weight: 43.5 lbs. (19.73 kg)

Unit includes

  • Application CD
  • Rack mount installation kit
  • Two sets of two barrel keys
  • Four smart cards
  • Two power cables

Powering the VirtuCrypt cloud

VirtuCrypt key management services are backed by the KMES Series 3 with hardened, FIPS 140-2 Level 3 validated technology. Whether an organization requires complete infrastructure management or simply more functionality for existing Futurex infrastructure, VirtuCrypt offers a variety of service structures designed to meet security requirements.

VirtuCrypt services

Industry compliance standards

  • FIPS 140-2 Level 3
  • EMVCo
  • ANS X9.24 – Part 1 and Part 2
  • RoHS
  • FCC Class B – Part 15
  • Applicable future compliance mandates

Key types and protocols

  • DES
  • Triple DES
  • X.509 v3
  • AES
  • RSA
  • EMVCo
  • KMIP

EMV certificate management

  • All major card brands supported
  • Issuer self-signed certificate creation and export
  • Creates ICC certificates to EMVCo specifications

Want to learn more?

Contact a Solutions Architect today.

Give us a call