How it works

There are significant business benefits from centralizing and automating key-lifecycle processes. However, for a product offering to do this it must deliver a secure and robust service based on proven and certified technologies.

CKMS is built on a resilient client-server architecture. Hardware Security Modules (HSMs) are used to ensure high quality key material and strong protection of keys.

High availability is ensured through clustering of the servers, database and HSMs. Key management administration can be performed without restrictions on time or place via an intuitive GUI, supported by secure PIN entry devices (PEDs) and smart-cards for strong authentication. The PEDs also support key import/export and key share printing.

Keys are distributed to applications and HSMs in a wide range of formats (key-blocks). All critical operations are recorded in a tamper-evident audit log. 



New Call-to-action
New Call-to-action
New Call-to-action

Cryptomathic CKMS
The complete key management solution

The high-level elements of CKMS are described below.




CKMS Server

The CKMS Server is the central part of the system, where the actual key management takes place and from where keys are pushed to the key targets. The CKMS Server connects to its dedicated HSM and a database to provide key management and key requesting services.

CKMS Client

The CKMS Client provides a graphical user interface for users to manage and operate the CKMS server. The client is provided as a Windows application.


CKMS stores all data in a standard commercial relational database. All sensitive information stored in the database such as keys and key components are encrypted under the master key of the HSM. Keys only exist in clear text inside the HSM. Other sensitive data, for example settings and logs, are integrity protected by a hardware MAC key so that the data cannot be edited without the server.

Hardware Security Module

Every CKMS instance requires at least one HSM which is used to ensure the generation of good keys & protect sensitive material when stored in the database. Additionally, sophisticated techniques are used to ensure that keys and key components are never exposed in unencrypted form in server memory or client machines.

Key Target / Client

Key Targets and Clients are the entities that receive keys and other credentials from CKMS. Key Targets receive keys automatically via an on-line protocol; Clients receive keys via manual export-and-import.

Cryptomathic CKMS

Other entities

CKMS also makes use of PIN-pads and smart-cards. These are used for both user authentication and the secure import of key components.


Integration Flexibility

To support the broadest range of integrations with applications (as Key Targets and Clients) CKMS supports a range of proprietary and standardised Key Block formats. These define, at bit level, the formats expected for keys to be exchanged with different systems. Supported formats include.

  • Atalla Key Block
  • BASE24 Key Exchange
  • MasterCard OBKM
  • PKCS#8 Cryptogram
  • TR-31

We are always ready to assist you 

It doesn't matter where you are. We can work anywhere in the world! And we would love to hear from you, be sure we will reply asap.



Case Study -   Swedbank 

Case Study -   Swedbank 

Learn how one of Europe’s largest acquirers has modernised its cryptographic key management activities through central generation.

  Read Case study

White Paper - EMV Key Management

Lack of overview or trouble understanding EMV key management? EMV as seen from a crypto angle for all involved parties in acquiring and issuing.

Read Whitepaper
 Selecting the Right Key Management System

White Paper - Selecting the Right KMS

This paper describes a variety of systems that exist in the market and provides guidance to narrow down the field to best meet your requirements.

  Read White paper


At the leading edge of security provision within its key markets, Cryptomathic closely supports its global customer base with many multinationals as longstanding clients.