2 min read

HSM remote key loading using CKMS and PCI-certified KLD

HSM remote key loading using CKMS and PCI-certified KLD

Hardware security modules (HSMs) are physical devices that provide cryptographic functions such as encryption/decryption and digital signing. They are used in many industries where strong security is necessary, including finance, banking, government, military and healthcare. In banking in particular, HSMs are used to validate all payment card transactions.

HSMs are typically installed in a secure rack in private bank datacenters around the globe. For evident security reasons, accessing these datacenters is strictly controlled and in nature, accessing these HSMs inside the datacenter is inconvenient even for the security teams responsible for this infrastructure.

There is a need to remotely administer these HSMs once provisioned and to manage and to load the cryptographic keys required for payment processing. This is what we call “remote key loading”.

PCI HSM Security StandardNew Call-to-action

The Payment Card Industry (PCI) provides standards for the security of payment card transactions and requires that HSMs used in payment processing comply with their security standards. Among others, key management is a critical component of HSMs. Key management involves securely creating, storing, distributing, and managing cryptographic keys used to secure payment transactions.

In December 2021, the PCI organization has released the PCI PTS HSM v4 version of their standard. It puts emphasis on the usage of key blocks and the use of the AES algorithm as well as new cloud HSM security requirements. Overall, remote administration of HSMs is getting more stringent.

PCI mandate to use Key Blocks

A key block is a key format that ensures the confidentiality and integrity of the key value, but also the integrity of its usage. By binding the key usage to the key itself, we ensure the key can not be used for anything else except what it was generated for (e.g. PIN encryption).

PCI PIN security requirements have increased the use of key blocks in three different phases (PCI PIN Security Requirement 18-3 - Key Blocks):

  • Phase 1 – Effective June 1, 2019, key blocks for internal connections and key storage within service provider environments are to be implemented. This includes all applications and databases that are connected to HSMs.
  • Phase 2 – Effective by January 1, 2023, the implementation of key blocks for external connections to associations and networks must be done.
  • Phase 3 – Effective by January 1, 2025, implementation of key blocks to extend to all point-of-sale (POS), merchant hosts, and ATMs must be done.

Key block formats which exist today are TR-31, Atalla Key Block and other proprietary key blocks. TR-31 appears as being the de-facto standard.

PCI Key Loading Device (KLD)

A key loading device (KLD) is a secure device that is used to generate keys, generate key components, combine key components and export/import keys and key components in a variety of formats. KLDs are very convenient as they offer a new way to do "key ceremonies” in an online fashion, far from the datacenter. Once key components are combined on the KLD and the key(s) are ready for loading into the HSM, they can be exported in a key block, typically TR-31 or Atalla Key Block, depending on the target HSM or Key Management System.

New Call-to-action

Key Loading Devices are also certified by PCI with the specific approval class “KLD” under PCI-PTS.

Cryptomathic Key Management System for remote key loading with PCI KLD

Only a few vendors can offer PCI-certified key loading devices today and Cryptomathic is pleased to offer the support of some of them with its Key Management System (CKMS).

From a Key Loading Device, payment keys can be exported into TR-31 key blocks that can be imported into Cryptomathic CKMS for long-term storage. Once securely stored in CKMS, these payment keys can be distributed to payment HSMs such as the Thales PayShield HSM or the Atalla HSM.

In the near future, cloud providers who wish to offer payment services using payment HSMs could use Cryptomathic CKMS and a PCI-certified KLDs to manage and upload payment keys remotely into their infrastructure.


Cryptomathic is a leading provider of strong encryption solutions for key management and cryptographic agility - whether it's on-premise or in the cloud.

Get in touch to hear how we can help with your key management and payment security.