Skip to main content

What key management methods are available for cloud payment HSMs?

When VirtuCrypt payment HSMs are provisioned, securely loading encryption keys is a critical step. There are several methods in which administrators can securely load major keys into VirtuCrypt next-generation cloud payment HSMs including Bring Your Own Key, key agent services, and HSM-generated keys.

Bring Your Own Keys (BYOK)

Organizations that need to self-manage encryption keys can confidently manage keys in VirtuCrypt next-generation cloud payment HSMs using the Bring Your Own Key (BYOK) method. The Excrypt Touch is Futurex’s FIPS 140-2 Level 3 and PCI HSM validated tablet that allows organizations to securely manage their own encryption keys from anywhere in the world. With the Excrypt Touch, administrators can securely establish a remote TLS connection with mutual authentication and load clear master keys to VirtuCrypt next-generation cloud payment HSMs.

Transferring keys to VirtuCrypt cloud payment HSMs with the Excrypt Touch uses double encipherment for key components. Double encipherment adds additional security by requiring the components to be encrypted by two separate keys. Therefore, to decrypt the data to a useful and readable state, the double encipherment process must be reversed, again using the two entirely separate key pairs. The keys used for this purpose are protected further by being ephemeral. Ephemeral keys are temporary, can only be used once, and never leave the devices in the clear. As soon as the ephemeral keys have been used to encrypt or decrypt the data, they are destroyed in temporary memory.

Key Agent Services

For organizations requiring key management assistance, Futurex’s key agent team can compliantly load keys into VirtuCrypt cloud payment HSMs. With this service, VirtuCrypt handles the compliant handling, loading, and storing of key components, but the ownership of the keys remains with the customer throughout this process.

This method is the most common one used by financial services customers. When using these services, certain compliance requirements must be fulfilled that relate specifically to the secure shipment of components. As part of the onboarding and key loading process, customers are provided with detailed instructions to follow.

HSM-Generated Keys

Administrators can randomly generate major keys using the random number generator (RNG) inherent to their cloud HSMs. This RNG is a FIPS 140-2 Level 3 validated entropy source.

Securing the world's most sensitive data.
Request Demo ▸