The evolving regulatory environment requires risk managers to increase their security and risk management spending. But as the volume of keys increases exponentially, organizations are finding it harder to demonstrate compliance.

Governments, banks and businesses operating in highly regulated markets need to prove compliance with security standards and protect sensitive data from unauthorized access.

Failing to do so puts you at risk of huge financial and reputational damage.

That’s why so many organizations turn to Cryptomathic. 

Not just because they trust the security our solution provides, but because CrystalKey 360 makes it easy to manage all policies, algorithms, keys, logging, and governance across HSMs, secure cloud enclaves, cloud key stores, and applications.

We’re pioneers in this space, providing services and solutions that deliver the highest levels of security, for over 35 years. We understand the requirements of different markets and the pressures you are under as technology advances, regulations change and risks evolve.


CrystalKey 360 is a key management platform for all organizations needing to manage keys and demonstrate security compliance. It makes data security easy to use and empowers you to keep pace with regulation, cyberthreats and quantum computing power.

 The all-in-one platform makes it easy to manage policies, algorithms, keys, logging, governance across HSMs, secure cloud enclaves, cloud key stores, and applications. It is one system that brings everything together to vastly improve operational costs and efficiencies.

As a market leader in key management, we craft our technologies to meet your needs, including:


Centralized platforms to manage organization-wide use of keys and policies
Rectangle 14


Seamless switch to quantum-safe cryptography or other emerging requirements & standards through cryptographic agility
Rectangle 14 (4)


With vendor-agnostic interfaces to support multi-cloud and multi-vendor HSM setups
Rectangle 14 (1)


Protect keys and data anywhere with integrations to all your clouds and applications
Rectangle 14


Great user experience and ability to customize end-to-end flows to your requirements
Rectangle 14 (4)
Vector 2 (1)-1-1

Common questions and challenges we’re asked to help with include:


How do I...?

…get key distributions and remote key lifecycle management?

…cut costs on our HSM operations?

…centralize enforcement of key policies?

…simplify our auditing processes?

…become cryptographically agile or explore post-quantum readiness?

…enable cryptography-as-service for client applications?

…get a multi-cloud setup?

…expand our HSM vendor operations?

…improve our speed to market on new applications and initiatives requiring cryptographic services?




CrystalKey 360 delivers everything you need for best practice key management, via a scalable, centralized cryptographic platform, helping you mitigate risks before they happen.

How does CrystalKey 360 enhance your key management capabilities at scale?

  • A single platform providing key lifecycle management and Crypto-as-a-Service (CaaS)
  • Easily deployed and scaled to effortlessly deliver agile cryptography from the smallest of applications to the entire enterprise
  • Solves 50+ common cryptographic challenges, including data integrity and encryption, tokenization, transaction authorization, code signing and key lifecycle management
  • Acts as a control center for HSM services and policy management
  • Enforces specific roles and clear responsibilities for sets of keys
  • Frees staff from manual, repetitive tasks and enables teams to concentrate on policy decisions
  • Orchestrates delivery of keys between disparate systems and across multiple regions
  • Support for fully automated workflows and integration with certificate authorities (CAs) or Certificate Lifecycle Management (CLM)
  • Delivers huge cost and time savings by doing cryptography the right way (find out how much you could save here)

Centralized Key Management Platform

Powerful, flexible enterprise key management and key distribution feature sets

True cryptographic agility

Centralized Key Policy Enforcement across the organization in a single interface

Vendor independence and HSM-as-a-service

Create a consolidated, streamlined, transparent, vendor agnostic HSM-as-a-service offering for your entire organization

Securing multi-cloud setups

Bring your own encryption or keys to your clouds

Simplify auditing

Strong audit and logging trails for each application, in one place

Post quantum readiness

Enable cryptographic agility and centralized enforcement of quantum-resistant algorithms

APIs your developers will enjoy

Our APIs are built on a simple powerful Crypto Query Language with zero learning curve

Fits into your existing infrastructure

Integrates to your legacy systems and processes

Data sovereignty, security and privacy by design

Operate in the cloud, on premises or hybrid infrastructure without sacrificing compliance with privacy laws (CCPA, GDPR, Privacy Act, etc.)

Flexible/Hybrid Deployment

Enjoy the freedom to keep key management on-premise, while enabling cryptography services in your private, public or hybrid cloud

Centralize security decisions

All cryptographic decisions for all application can be set centrally

CrystalKey 360 gives you a clear overview and complete control of your cryptographic hardware, policy enforcement, logging, auditing, cloud storage and key management.

Key management

Import, generate, export and renew keys, as well as enforcing their correct usage (who can use the key and how they can use it)

Automate complex and repetitive manual key management tasks and liberate skilled staff for higher value tasks

Compliance and auditing

Audit-log key management processes – in tamper-proof environments – to protect from deliberate attacks and human errors

Easily demonstrate compliance with standards like PCI DSS and GDPR, and confidently comply with and pass internal/external audits

Health monitoring

Keep your infrastructure and HSMs healthy with data that allows operators to monitor the status of the entire system, as well as activity on individual HSMs

Trusted access

Perform admin without restrictions on time or place

Strong authentication supported by secure PIN entry devices (PEDs) and smart cards. PEDs also support key import/export and key share printing

Grant applications just enough privilege to complete their necessary functions, via a central policy file. Unless something is explicitly allowed, it's forbidden!


Support all widely used cryptographic algorithms, including RSA, AES, 3DES, HMAC and more

High availability, ensured through clustering of the servers, database and HSMs

Easily disable or add an HSM in a few clicks with zero downtime to related applications

Monitor and load-balance operations across a pool of general purpose and specialized HSMs, as appropriate

Simple integrations with legacy systems and new-build applications via API – avoid steep learning curves!

Typical use cases for Cryptography-as-a-Service

Endorsed Code Signing

Endorsed signing is a unique feature tailored for the code-signing market.

CrystalKey 360's endorsed signing feature gives you the secure work flows necessary to control what code may be signed. It requires that a minimum mandatory number of authorized ‘endorsers’ endorse a code signing request before a secure signing operation is permitted.

Managed Data Encryption

Tackle a common cryptography headache by ensuring encrypted data can be safely decrypted at a later date, even if the original key has been replaced.

This technique is ideally suited for long-term storage of encrypted data within a business database. Managed encryption is available to any application using CrystalKey 360.

Managed encryption provides confidentiality, authenticity and integrity (while normal encryption only offers the first of these). This means you can ensure data hasn't been modified while it was stored.


Tokenization protects sensitive data, such as PANs (primary account numbers), as they pass through business systems. The original data is replaced with a token of the same length, using a reversible process.

If you need to comply with PCI DSS, tokenization may provide a way to bring systems out of scope for audits. For more information on PCI DSS compliance, click here.

Confidential Cloud Computing

In the uncertain trust levels of a cloud environment, it’s crucial to take a comprehensive approach to cloud security, incorporating customized security measures and a focus on securing cryptographic keys.

This includes compliance with complex privacy laws, maintaining control over data and keys, and managing risks from shared infrastructure and potential insider threats.

Some typical and proven use-cases for key management include:

  • EMV® keys for card issuance and authorization, e.g. BASE24
  • ATM and POS remote key loading (RKL)
  • HSM application keys, e.g. Atalla, Thales, etc.
  • Bring Your Own Key (BYOK) to cloud environments
  • Keys for data protection, e.g PCI DSS & GDPR compliance
  • X.509 certificates for web servers (SSL/TLS), load balancers and more

Entities that keys can be delivered to include:

  • Java Key Store (JCEKS), PKCS #11 and Microsoft CAPI applications
  • Hardware Security Modules (HSM)
  • Cloud applications – ‘Bring Your Own Key’ formats
  • Payment Platforms – ATM and POS systems; Base24 and zOS integrations
  • Integrations with various certificate authorities are also supported.

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.




Understanding the future of key management in the automotive industry

In our recent webinar, we covered the scope of upcoming regulations to the automotive industry, the potential impact of them and how to prepare for them.
The webinar covers how a similar transition has played out in the financial industry and what automotive professionals can learn from their example, before covering how a robust, scalable key management strategy plays a crucial role in securing both internal and external communication for software defined vehicles.

watch the recording

Understand what CrystalKey 360 can bring to your business   TELL ME MORE