KMES Series 3
Encryption key management system
Key lifecycle, CA, and PKI solutions
Enterprise-class key management system
The Key Management Enterprise Server (KMES) Series 3 is a powerful and scalable key management system. Manage cryptographic keys, digital certificates, and other encrypted data. It can establish an offline root CA to form a public key infrastructure (PKI) for mutual authentication and digital signing operations. The KMES Series 3 contains a built-in FIPS 140-2 Level 3-certified hardware security module (HSM) to handle cryptographic operations. Available on-premises and in the cloud, the KMES Series 3 is an all-in-one solution to protect sensitive data.
Cloud key management
- Interface with public cloud providers: AWS, GCP, Azure
- Externalize key management, on-premises or in the cloud
- Bring Your Own Key (BYOK)
- External key management (EKM)
- Client-side encryption (CSE)
Data protection
- Application encryption: integrate encryption functionality into software
- Transparent data encryption (TDE): secure databases
- File encryption: automatic drag-and-drop encryption
- Vaultless tokenization: enhance protection and limit compliance scope
- Support for common cryptographic interfaces: PKCS #11, JCA/JCE, Open SSL, etc.
PKI and CA
- Offline root CA: establish root of trust
- Issuing CA: manage certificate lifecycles
- Encrypted network communication
- Certificate hierarchy and revocation (CRL and OCSP)
- Authenticate objects throughout distributed network
Code signing
- Authenticate code
- Automate code signing operations
- Sign firmware to thwart hacking attempts
- Integrate with Microsoft Authenticode or Java Developer Kit’s jarsigner tool
Payment key management
- Remote key loading and rotation
- Point-to-point encryption (P2PE)
- Create, store, encrypt, and sign keys
Automation
Automate repetitive key management tasks and set automatic backups for encryption keys, databases, and logs.
Multi-application support
Segregated key containers enable a single, logically-isolated cryptographic resource pool for multiple applications.
Interoperability
Construct a highly available network of key management devices with automatic key and certificate synchronization.
Why choose the KMES Series 3?
The KMES Series 3 is the last word on key lifecycle management. With vendor neutral APIs, automation and scripting capabilities, and an embedded FIPS 140-2 Level 3 validated HSM, the KMES Series 3 forms the cornerstone of your enterprise security infrastructure.
From managing specific keys to authenticating entire networks of devices, the KMES’s key and certificate lifecycle management capabilities make it easy to strengthen data security, digitally sign objects and code, and establish a secure PKI.
Click diagram to enlarge
Simple, secure key management
Symmetric and asymmetric key management for 3DES DUKPT, X.509 v3, EMV and support for X9.17, AKB, and TR-31 (including custom optional fields) key block formats.
Customizable, role-based access management
Versatile, permission-based user access control system to enforce dual control and segregation of duties with exportable user activity logs.
Ease of use
Simple graphical user interface (GUI) with no command-line tasks required for initial setup, regular auditing, firmware upgrades, or maintenance.
Versatile PKI functionality
Supports mutual authentication under a trusted offline root CA and generates and manages self-signed certificates to establish a trusted public key infrastructure (PKI).
PCI-compliant remote key distribution
Remotely inject encryption keys into ATM, POS, and mobile POS devices, reducing the logistical burden associated with direct encryption key injection, meeting industry and regulatory standards.
Automate auditing and reporting
Customizable reporting with automatic signing and transmission of activity logs to a remote syslog server for internal and external audits.
Multi-purpose and standards-compliant
Versatile key management solutions for enterprise and financial uses.
KMES Series 3 specifications
Hardware features
- Dual control-enabled, tamper-responsive
- Smart card reader for M-of-N key fragmentation and dual-factor authentication
- Dual, redundant gigabit Ethernet ports
- Dual, redundant, hot-swappable power supplies
- Automated, internal RAID-based backup of object management applications and databases
External hardware requirements
- Keyboard: Standard USB
- Mouse: Standard USB
- Video: Standard SVGA 1024×768 at 75Hz refresh
- PostScript-compatible printer for key printing (Optional)
Operating conditions
- Power Supply Configuration: Standard AC with two redundant, hot-swappable supplies
- Voltage: 90 VAC – 264 VAC
- Frequency: 47 Hz – 63 Hz
- Maximum Current (115/230 VAC): 12 / 6
- Efficiency: 80% (minimum)
- Operating temperature: 50° – 95°F (10° – 35°C)
- Storage temperature: 5° – 140°F (-15° – 60°C)
- Operating relative humidity: 20% – 80% (RH non-condensing)
- Storage relative humidity: 10% – 85% (RH non-condensing)
Dimensions and weight
- Height: 2U – 3.5 inches (8.9 cm)
- Length: 24.63 inches (62.56 cm)
- Width: 19 inches (48.3 cm)
- Weight: 43.5 lbs. (19.73 kg)
Unit includes
- Application CD
- Rack mount installation kit
- Two sets of two barrel keys
- Four smart cards
- Two power cables
Powering the VirtuCrypt cloud
VirtuCrypt key management services are backed by the KMES Series 3 with hardened, FIPS 140-2 Level 3 validated technology. Whether an organization requires complete infrastructure management or simply more functionality for existing Futurex infrastructure, VirtuCrypt offers a variety of service structures designed to meet security requirements.
Industry compliance standards
- FIPS 140-2 Level 3
- EMVCo
- PCI DSS
- ANS X9.24 – Part 1 and Part 2
- RoHS
- FCC Class B – Part 15
- Applicable future compliance mandates
Key types and protocols
- DES
- Triple DES
- DUKPT
- X.509 v3
- AES
- RSA
- EMVCo
- KMIP
EMV certificate management
- All major card brands supported
- Issuer self-signed certificate creation and export
- Creates ICC certificates to EMVCo specifications
