How it works

CSG servers sit between your business applications and your existing hardware security modules (HSMs). A central policy file determines which crypto operations each application can perform and identifies the correct key to use. Applications connect to CSG through one of the supported APIs and CSG distributes crypto requests across all the available HSMs.

The policy acts like a firewall, preventing applications from performing any crypto operations that are not specifically allowed. It also specifies security properties, such as mode of operation, padding, key algorithm and key length - exactly the sort of data that security and audit teams need access to (and control over). Application keys are managed by CKMS, which pushes approved keys across the network to the CSG HSMs.


New Call-to-action
New Call-to-action
New Call-to-action

Cryptomathic CSG
Architecture Overview


Applications calling CSG do so using either a CSG client library or the RESTful interface. Client libraries can be configured either to directly load balance across all CSG servers or to integrate with an external load balancer. The CSG will authenticate applications based on credentials local to the CSG server cluster or through integration with an LDAP/AD service.

APIs - Crypto Query Language

Crypto Query Language (CQL) is the primary interface to CSG and enables developers to rapidly integrate applications. Compared to APIs such as PKCS #11, CQL has no learning curve and delegates all security decisions (including key selection) to the CSG policy file. CQL can be used from Java, .NET and C/C++ or through CSG’s RESTful API. An example of an encryption command is shown below:


Each developer will be given a welcome pack that describes which CSG servers to connect to and which commands they have access to. Templates for welcome packs are supplied with CSG.

CSG Servers

The CSG server is a Java application which will centrally control and manage applications, HSMs and cryptographic policy. A cluster of CSG servers would be deployed to ensure full availability and resilience capabilities.

Service Management

Administration of the CSG system is performed remotely via an admin client. All administrators authenticate to the system using Smartcard and PIN. The security critical operations, such as a change in CSG policy, must be done under dual control. Additionally, the admin client presents a monitoring pane which displays information on the health, load and transaction latency across the CSG servers and HSMs (this information is also exposed via a SOAP web service).


The CSG servers utilize a pool of HSMs, which they will monitor and load-balance operations across, as appropriate. CSG supports all major HSM brands and integrates with both General Purpose and specialized Payments HSMs.

Key Management 

CSG implements Cryptomathic’s Crypto Key Management System (CKMS) for management of application keys - throughout their entire life cycle. CKMS operators define and approve keys that will be used by CSG applications and push them automatically over the network to all CSG servers in the cluster.

CKMS allows key custodians to efficiently manage keys, whilst demonstrating compliance to company security policies and regulatory frameworks.

For more information on the benefits of using CKMS, including information on compliance, auditing and work-flow improvements, see CKMS.

We are always ready to assist you 

It doesn't matter where you are. We can work anywhere in the world! And we would love to hear from you, be sure we will reply asap.

Contact us



Case Study -

Read the case study to see why Barclays Bank chose CSG as their strategic enterprise crypto service.

Read Case study

Achieving Real-World Crypto-Agility

Learn how a business can assert control over its HSM estate, reduce risk, increase efficiency and attain confident compliance - with Crypto Service Gateway.

 Read White Paper
Code Signing

Topic Paper - Code Signing

Understand how CSG provides Endorsed Code Signing, enforcing the necessary secure workflows for controlling the code signing process with a business.

 Download Solution Brief