Key Management

The growing threat landscape, with almost daily reports of data theft and security breeches, is driving the need for data encryption. More encryption means more cryptographic keys. However, when keys are compromised, encryption is no longer effective. Unfortunately, proper key security is often lacking.

Many organizations still store keys in software—a poor choice as hacks capture both data and the keys used to encrypt that data. The result is exposure of critical data harmful to both your organization and customers.

Keys should be stored in a separate hardware device. USB tokens and Smart cards are often used, but with the growing number of keys, it’s difficult to track them, monitor who has possession, or determine if they have been lost or stolen.

Hardware Security Modules (HSMs) ensure keys are secure and confidential, limiting access to only those who need it. Unencrypted keys never exist outside the HSM and all key related operations occur inside the HSM. They also provide physical and logical barriers to attack and tampering; unavailable to USB tokens, smart cards, or software.

Engage BlackVault is a cryptographic appliance with a built-in FIPS Level 3 Hardware Security Module (HSM). It supports the complete key management life cycle and is available as a Code / Document Signing appliance, Certificate Authority (CA), or fully featured HSM. BlackVault makes meeting key management best practices straight forward, secure, and affordable.

The BlackVault platform provides maximum protection for cryptographic keys. It’s FIPS 140-2 Level 3 tamper reactive, silicon based, cryptographic boundary ensures keys and other cryptographic material cannot be compromised. An attempt to defeat the BlackVault’sphysical, environmental, and electronic protection mechanisms causes keys to be deleted (zeroized).

The BlackVault platform also has a unique single trust path authentication mechanism. Two factor authentication is determined directly at the BlackVault by inserting a smart card into the smart card reader and entering your PIN on its touch screen display. This prevents compromised third party devices from gaining access to the BlackVault platform.

An “M of N” quorum can also be established for Crypto Officer, User, and Key Backup / Restore authentication. In this case, a minimum of “M” personnel (smart cards / PINs) must be present to authorize an action by the BlackVault. For example, a new code release cannot be digitally signed unless Engineering, QA and Product Management “sign-off” on the release.

The BlackVault platform includes both USB and Ethernet ports for on-line as well as off-line (air-gapped) applications. The USB port is also used for off-line file transfer and key backup. Backups are encrypted and the backup encryption key can be distributed across multiple smart cards. The Ethernet port is a secure TLS connection.

Compact and portable, with a battery life measured in decades, the BlackVault is easily transported and stored in a safe or other secure location.

With a menu driven touch screen display, and built-in applications, the BlackVault achieves a new level of simplicity and ease-of-use for what has traditionally been very complex functions.

Behind the scenes, the BlackVault platform supports the most advanced cryptographic algorithms and popular cryptographic APIs.