Data Security and Key Management - Thales e-Security

Datacryptor 5000 Series Multi-Layer Network Encryption


Datacryptor 5000 Series

High Performance Security for Data In Motion


The Datacryptor 5000 Series is the newest addition to the Thales e-Security portfolio of data in motion network security solutions. Datacryptor 5000 devices bring all the benefits of Layer 2 encryption to mixed backbone network types. Able to traverse Layer 2, IPv4 and IPv6 networks, the versatile Datacryptor 5000 is loaded with new features designed to secure data in motion with little to no impact to network performance and expensive bandwidth. Boasting an industry-unique Turbo Efficiency mode, the Datacryptor 5000 Series delivers high-speed security at 95% bandwidth efficiency.


    • Comprehensive data in motion security for Layer 2, IPv4 and IPv6 Networks
    • 95% bandwidth efficiency optimizes encrypted throughput  from 10Mbps to 10Gbps
    • Integrated group key management system scales to support hundreds of encryptors with no-cost redundancy
    • Traffic Flow Security prevents traffic analysis and side channel attacks
    • Field upgradeable to protect against new threats and to ensure long service life


Datacryptor 5000 Series: Features & Benefits

Security Features 

    • Datacryptor 5000 Series products are designed to meet the latest worldwide standards for commercial cryptography.
    • Traffic Flow Security completely masks traffic patterns to prevent traffic analysis.
    • Galois Counter Mode ensures data integrity.
    • Group Key Management enables multiple VLANs to be separated by key material (multi-tenancy).
    • Unicast and Multicast key delivery ensures quick setup and low overhead keying of large scale networks.
    • Each Datacryptor 5000 device can simultaneously perform encryption and key management functions providing redundant backup key servers at no additional cost.
    • Key Server and Key Management implementation scales to support many hundreds of encryptors.

Operational Features

    • Operates in Point to Point, Hub and Spoke, and Multipoint Mesh Layer 2 architectures.
    • Layer 3 IP Tunnel capability enables Layer 2 encrypted traffic to be routed over any IPv4 or IPv6 network.
    • Programmable Turbo Efficiency mode achieves up to 95% bandwidth efficiency for encrypted traffic.
    • Variable speed licenses can be purchased as physical link and capacity demands grow.
    • Smart card configuration enables quick remote deployments without the need for security expertise at each site.
    • Field upgradeable to ensure many years of continuous service.
    • Robust hardware design on 19” Rack Mount models include redundant fans and power supplies (hot swappable for Datacryptor 5300 and Datacryptor 5400 models).
    • A small form factor version (Datacryptor 5100) is available to facilitate use in space-constrained environments.

Datacryptor 5000 Series: Options & Accessories

Optional Feature Licenses

The IPv4 and IPv6 Tunnel Mode and the Traffic Flow Security features are provided as individual optional software licenses that can be purchased with the Datacryptor 5000 or at a later date as a feature upgrade.

Optional Datacryptor 5000 Key Management Software

The Datacryptor 5000 Key Management Software can be used on most laptops and PCs.  The software provides a secure, bootable Linux operating system designed to help prevent vulnerabilities during the key derivation and writing process. 

Optional Datacryptor 5000 Smart Card Writer

The Smart Card Writer has a USB connection and is used to connect to a host PC that is running the Key Management Software.

Optional Datacryptor 5000 Smart Card Reader

The Smart Card Reader has a serial connector that is specifically designed to be powered by the Datacryptor 5000 Series device.  When connected to the Datacryptor 5000 device, the Card Reader can be used to configure remote Datacryptor 5000 devices.

Optional Rail and Shelf Kits

An optional wall mount kit is available for the Datacryptor 5100. A shelf kit is also available for placing up to two Datacryptor 5100 devices into a 19” rack.

Datacryptor 5200 does not require any mounting hardware to install into a 19” rack.

Datacryptor 5300 and Datacryptor 5400 each come with standard rails for mounting into a 19” rack.  An optional rail extension kit is available for racks with extended depth requirements.

Optical Interface Modules

A variety of Ethernet and Optical short, intermediate and long range XFP and SFP modules are offered to meet specific implementation requirements for the Datacryptor 5300 and 5400 devices.  Although other modules can be used, the modules offered by Thales have been tested to work with the Datacryptor 5000 models.  Our technical support team is available to assist in determining the appropriate module. 

Datacryptor 5000 Series: Specifications


    • AES-GCM or AES-CBC (256-bit) encryption
    • Integrity and replay protection with Galois Counter Mode (GCM)
    • Key generation with hardware random source
    • Key exchange with Diffie-Hellman ECC algorithm (DH-ECKAS)
    • Designed to meet FIPS 140-2 L3 and CC EAL 4

Line Interfaces

    • 10 Mbps: 10Base-T TP RJ45 Full Duplex
    • 100 Mbps: 10/100Base-T TP RJ45 Full-Duplex
    • 1 Gbps SFP Modules
    • 1000Base-T SFP TP RJ45
    • 1000Base-X SFP MM LC (62.5/125µ)
    • 1000Base-X SFP SM LC (9/125µ) SR/IR/LR
    • 1000Base-X SFP DWDM/CWDM
    • 10 Gbps XFP Modules
    • 10GBase-R XFP MM LC (62.5/125µ)
    • 10GBase-R XFP SM LC (9/125µ)
    • 10GBase-RXFP DWDM/CWDM, tunable DWDM

System Management

    • Configuration via serial console and out-of-band Ethernet
    • Integrated monitoring of network status and operation
    • Audit and event logging
    • Remote monitoring via SNMP V3
    • Link monitoring via CryptoMon software

Datacryptor 5000 Series