Please Fill Out Form

to Request Document

Required Fields*

Enterprise-Class Use Cases

  • Symmetric key lifecycle management
  • Enterprise certificate authority and public key infrastructure (PKI) for offline root, EMV CA, and more
  • Registration authority
  • Data protection, application encryption, and integration with 3rd-party applications
  • Vaultless tokenization
  • Quantum-safe hybrid certificate authority issuance

An Easier Way to Securely Manage Keys

The Key Management Enterprise Server (KMES) Series 3 is a versatile and secure solution for organizations charged with managing large volumes of keys, certificates, and other cryptographic objects. Whether it be key generation, transfer, storage, or deletion, the KMES brings full spectrum key management into a single device.

The KMES is a Secure Cryptographic Device (SCD) that utilizes robust, hardened security to protect keys and certificates at the source as well as extensive logical measures, such as dual control and a role-based permission systems, that secure sensitive data from both external and internal threats. FIPS 140-2 Level 3-compliant, the KMES' hardware utilizes a reinforced steel chassis, unique bezel locks, and a hardened epoxy barrier containing tamper-responsive sensor wires that instantly zeroize sensitive data during any physical intrusion attempt.

Perfect for Manufacturers 

The KMES' capacity for high-volume key management makes it an ideal solution for manufacturers. Organizations, such as internet of things (IoT) providers, who are responsible for managing a large number of encryption keys are well aware of the difficulties and inconveniences associated with the process, especially if the key management system relies on multi-vendor solutions. The KMES simplifies the key management process by providing a single-source solution for injecting keys and certificates, all the while increasing key security and compliance. 

The KMES is adaptable enough to fit into the cryptographic infrastructures of large-scale manufacturers. Additionally, Futurex's custom development program can provide an additional level of integration for manufacturers needing additional resources.

Diverse Functionality

From device authentication to the generation of keys for POS environments, the KMES is able to handle the symmetric and asymmetric key processes for your industry. The KMES supports all major key types, algorithms, and protocols, with more being continually added as new technologies emerge. Futurex can also develop solutions that are fully customized for your organization’s key and certificate needs, relying on years of successful experiences with previous custom initiatives.

Establish a public key infrastructure (PKI) by using the KMES to manage certificate trees, individual certificates, private keys, signing requests, and more through import, export, generation, tracking, storage, and revocation. Symmetric key processes are made simple through the KMES’ functionality for batch generation, import, and export; automatic expiration; key templates; key group format cloning; and key component printing.

The Quantum Computing Shift

The KMES Series 3 offers expansion functionality to support quantum-safe hybrid certificate authorities. This allows organizations to issue a single certificate that contains both conventional public key algorithms such as RSA and ECC, or quantum-safe ones. This mitigates the inevitable quantum computing risk and allows organizations to make the transition on their own timelines.

Versatile Functionality

  • Supports all common key types and protocols, including DES, Triple DES, DUKPT, X.509 v3, AES, RSA, and EMVCo
  • X9.17, AKB, and TR-31 (including custom optional fields) key block formats are available for use
  • Encryption keys, including major keys, can be imported, exported, and backed up onto smart cards using M of N fragmentation
  • Custom, user-defined attributes and object grouping simplifying the management and organization process
  • Supports mutual authentication under a trusted root certificate to establish a trusted public key infrastructure (PKI)
  • Capable of generating and managing self-signed root certificates

Enterprise Application Encryption

  • FIPS compliant security for application-based data protection
  • Centrally manage the full key, certificate, and policy lifecycle
  • Easy-to-use architecture simplifies and expedites deployment
  • Segregated key containers, enabling the creation of a single cryptographic resource pool for multiple independent applications
  • Web-based workflow management for automation of key lifecycle tasks
  • Standards-based libraries for easy integration: KMIP, C# .NET, Java

Scalable Integration

  • Capable of storing millions of keys and certificates
  • Scalable to the Nth degree with multiple KMES devices centrally managed by the Guardian Series 3
  • Customized, real-time monitoring and alerting via SMS, SMTP, and SNMP
  • Automatic synchronization of objects with other KMES devices
  • Object sharing with other Hardened Enterprise Security Platform devices and optional object segregation between remote applications


  • Compliant with emerging and current compliance standards such as FIPS 140-2 Level 3, EMVCo, PCI DSS, ANSI X9.24 - Part 1 and Part 2, RoHS, and FCC Class B - Part 15
  • Automatically transmit data logs to a remote syslog server for internal and external audits
  • Digitally signed log files, which ensure that data integrity is maintained and that logs cannot be altered

Ease of Use

  • Fully functional graphical user interface (GUI) with no command line tasks required for initial setup, regular auditing, firmware upgrades, or maintenance
  • Simple installation and management procedures, resulting in minimal training for administrative personnel
  • Automated, network-based backups, providing peace of mind and fulfillment of best practices
  • Web-based remote capabilities, simplifying use and enabling deployment in lights-out data centers


  • 2U hardened steel chassis with “Puzzle Box” tamper-resistant design
  • Detachable front panel with two unique locks, enabling dual control over front panel controls
  • Versatile, permission-based user system for enforcement of dual control and segregation of duties
  • Software enforcement of split knowledge principles
  • Battery-backed Secure Cryptographic Device (SCD) with epoxy barrier and tamper-responsive sensor wires

Dimensions and Weight

  • Weight: 40.5 lbs (18.4 kg)
  • Width: 19 inches (48.3 cm)
  • Height: 2U - 3.47 inches (8.81 cm)
  • Depth: 22.3 inches (56.7 cm)

Industry Compliance Standards Met

  • FIPS 140-2 Level 3
  • EMVCo
  • ANS X9.24 - Part 1 and Part 2
  • RoHS
  • FCC Class B - Part 15
  • Applicable future compliance mandates

EMV Certificate Management

  • All major card brands supported
  • Supports issuer self-signed certificate creation and export
  • Creates ICC certificates according to EMVCo specifications

KMES Series Unit Includes

  • KMES Series 3 application CD
  • KMES Series 3 documentation CD
  • User guide
  • Mounting brackets
  • Two sets of two SCD barrel keys
  • Cables

Operating Conditions

  • Power requirements: 100 - 240 VAC 50/60 Hz. 225 Watts
  • Operating temperature: -40° to 140°F (-40° to 60°C)
  • Storage temperature: -40° to 140°F (-40° to 60°C)
  • Operating relative humidity: 20% to 80% non-condensing
  • Storage relative humidity: 5% to 95% non-condensing


  • Dual control-enabled, tamper-responsive and evident design
  • Smart card reader for M-of-N key fragmentation and dual-factor authentication
  • Dual, redundant gigabit Ethernet ports
  • Dual, redundant, hot-swappable power supplies
  • Automated, internal RAID-based backup of object management application and databases

Supported Key Types and Protocols

  • DES
  • Triple DES
  • X.509 v3
  • AES
  • RSA
  • EMVCo
  • KMIP