Proven solution for centralizing key management

 FIPS 140-2

keyAuthority® version 4.0 from Thales e-Security is a hardened cryptographic key manager that provides high levels of assurance to users of applications and systems with embedded encryption. keyAuthority supports widely-accepted industry standards, including the Key Management Interoperability Protocol (KMIP) standard, to allow comprehensive endpoint interoperability. Centralized administration provides consistent key lifecycle policy enforcement with reliable auditing to ensure data recovery and long-term business continuity. Enterprises now have a high performance key management solution that scales to support encryption requirements today and in the future. Its security boundary, which includes the entire chassis for higher assurance protection, has been validated to FIPS 140-2 Level 3. 

New Product of the Year      GEA-Gold

Benefits of keyAuthority

  • Automates key lifecycle management across global enterprises.
  • Lowers risk of breaches with high-assurance, reliable hardware.
  • Accelerates encryption deployment through pre-qualified solutions.
  • Centralizes policy by using a single system to access and audit.
  • Reduces management overhead by integrating encryption silos.


keyAuthority® Features

Security Features 

  • Attack-resistant and tamper-evident hardware delivers high assurance protection for keys and the information it safeguards.
  • Automated key lifecycle policies make it easier for organizations to implement best practices in key management and enforce consistent security.
  • Multi-factor authentication, role-based access controls, and support for dual controls enable strong separation of duties and ensure authorized access to keys and devices.
  • Secure audit facilities enable reliable compliance reporting and verification of controls in place.

Operational Features

  • Centralized administration streamlines management of keys and encryption processes across even the most complex, heterogeneous global environments, enabling organizations to implement a consistent security model and reduce operating costs.
  • A performance-optimized solution that includes key backup and synchronized key replication helps to ensure high availability.  
  • Pre-qualification of leading encryption products simplifies and accelerates deployment for both proprietary and KMIP-based solutions.
  • Flexible, unified interface extends to a broad range of existing and emerging encryption products, so you can scale new enterprise applications with confidence.
  • Redundant field-serviceable fans, dual hot-swap power supplies, and other redundant hardware features ensure a fault-tolerant solution suitable for high-availability applications.
  • Group and domain separation supports multi-tenancy applications, enabling service providers to streamline operations.

keyAuthority® Options and Accessories


Replacement Power Supply Unit (PSU)

keyAuthority features dual, hot-swappable power supply units (PSUs) to provide for easy, self-supported field replacement and enhance business continuity. By purchasing additional keyAuthority PSUs, organizations can easily replace failed parts immediately on-site without the downtime normally associated with RMA returns.

Replacement Fan Tray

keyAuthority features redundant, field-replaceable fan trays. Fans are mounted on a fan tray that enables easy replacement of the entire tray; fans cannot be replaced individually. Like the power supplies, the fans are located outside the keyAuthority security boundary. Thales replacement fan trays enable you to replace failed parts immediately on-site without unnecessary downtime.

Additional Smart Cards

To support organizations that require additional smart cards and more than what are supplied as standard with the keyAuthority Accessory Kit, additional packs of 5 smart cards are available for use in system key recovery policy (m of n) and user 2-factor authentication. 

Additional Smart Card Readers

keyAuthority incorporates a built-in smart card reader, along with one external remote smart card reader accessory as standard, to facilitate remote user authentication to the system. In the event that a smart card reader is damaged or lost/stolen, or additional back-up units are required to support more users, organizations can purchase additional remote smart card readers to be used in a keyAuthority installation.

keyAuthority® Specifications

Cryptographic algorithms supported:

  • Symmetric
    • AES (128, 192, 256)
    • XTS AES (128, 256)
    • EME2 AES (128, 256)
    • CCM 128 AES 256
    • GCM 128 AES 256
    • CBC AES 256 HMAC SHA (1, 256, 512)
    • XTS AES 256 HMAC SHA 512
    • XCB AES (128, 256)
    • TDES
  • Asymmetric
    • RSA 2048 (Key wrapping, exchange, agreement and log signing)
    • AES 256 (key wrapping of material stored on disk and authenticated using HMAC SHA 512 for Group Keys)
  • Hashing
    • N/A 


  • FIPS 140-2 Level 3 (certificate #1777 for v3.03 firmware)
  • UL, CE, FCC, C-Tick
  • RoHS

Applications supported:

Below is a non-exhaustive list of applications that utilize proprietary protocols or KMIP for key management interoperability and have been tested by Thales.

  • Brocade Encryption Switch and FS8-18 Encryption Blades for DCX Chassis
  • IBM encryption-ready tape (TS-Series) and disk (DS-Series) storage line products
  • Hitachi Virtual Storage Platform (VSP) and Hitachi Unified Storage (HUS) VM
  • Quantum Scalar tape libraries
  • Sepaton S2100-ES3 series 2925 Backup and Recovery Appliance