Data Security and Key Management - Thales e-Security

Layer 2 Encryption


Layer 2 Encryption Platforms

High assurance, low latency solutions for securing point-to-point and multipoint links

FIPS 140-2     Common Criteria

Layer 2 standalone network encryption platforms from Thales e-Security provide secure, efficient, and scalable data transport for a variety of point-to-point and multipoint applications. These tamper-resistant devices protect data confidentiality using the strongest commercially available and government encryption algorithms and sophisticated key lifecycle management and storage techniques—at near-line-speed performance. Use Layer 2 devices to protect sensitive and high-value data for a range of connections, including:

These tamper-resistant units authenticate remote devices, exchange key material automatically, and encrypt and decrypt transmitted data. Trusted to protect sensitive networks around the world, Layer 2 appliances are certified to meet FIPS and Common Criteria standards.


  • Proven, certified, and trusted to protect the world’s most sensitive networks.
  • Designed to meet the highest security standards for voice, video, and data communications (FIPS, Common Criteria, UCAPL).
  • Secures a wide range of new and legacy point-to-point and multipoint connections while delivering low latency and near-line-speed performance. 
  • Maximizes return on investment in existing network infrastructure. 
  • Reduces cost of ownership with remote management and configuration, minimal routine handling, and field upgradeability.
  • Protects your investment—buy only the capacity you need, and upgrade easily as your needs change.

Layer 2 Encryption Products

Model Speed
1Mbps 10Mbps 100Mbps 1Gbps 10Gbps
Layer 2 Encryption
Datacryptor Ethernet Layer 2
Datacryptor SONET/SDH

Layer 2 Encryption Products: Features

Security Features 

  • The strongest commercially available algorithms, government ciphers, or customized algorithms enable Level 2 encryption products to meet the highest security standards.
  • Provide the flexibility to address a diverse range of security requirements—from enterprise data protection to the most sensitive government networks.
  • Physical and logical separation of network administration and security responsibilities enforces policy and reduces opportunity for insider attacks.
  • Advanced key management capabilities provide the strongest levels of security for key generation and key storage.
  • Most products are certified to FIPS 140-2 Level 3 and Common Criteria standards. Datacryptor Ethernet Layer 2 and Datacryptor SONET/SDH are certified to Common Criteria.

Operational Features

  • A commercial, off-the-shelf (COTS) platform that can be customized as needed helps organizations to reduce cost and accelerate deployments.
  • Remote management capability—including re-key—reduces time, effort, and cost of managing and configuring devices.
  • A choice of speeds allows organizations to buy and deploy only the capacity needed today, and then upgrade easily as their needs change.
  • The ability to upgrade firmware, algorithms, and speed in the field helps organizations adapt more easily to evolving requirements. 
  • Hot standby capability makes Layer 2 encryption products devices suitable for high availability environments.
  • Delivered as standard 19” rack mountable devices. Datacryptor are also offered in small form factor versions to facilitate use in space-constrained environments.

Layer 2 Encryption Products: Options & Accessories


Layer 2 Encryption Products

Link and Layer 2 Table
Model Speed
1Mbps 10Mbps 100Mbps 1Gbps 10Gbps
Layer 2 Encryption
Datacryptor Ethernet Layer 2
Datacryptor SONET/SDH

Software and Installation Packs

Each Layer 2 Encryption product is delivered with fully functional software that requires Certificate Manager software for commissioning. Only one Certificate Manager is required to commission all Datacryptor devices and therefore is sold separately. Additionally, management software and new release upgrade software can be ordered separately.

Optional Software Licenses

For Datacryptor Ethernet Layer 2 devices, an optional Multipoint and MPLS-aware software license is available. New Datacryptor Ethernet Layer 2 devices can be purchased with the Multipoint and MPLS-aware software installed.  Fielded units can be upgraded by ordering the software license separately. Lower speed Datacryptor SONET devices can be software upgraded to support higher data rates. These software upgrades are available through licenses and are designed to meet a variety of speed enhancements.

Shelf Kits

Both single and dual-shelf mount kits are available to suit a variety of rack-mount requirements.

Power Supplies and Metal Keys

Datacryptor Ethernet Layer 2/SONET power supplies are designed for long life and continuous operation (some models available with dual-redundant power supplies). Replacement and backup power supplies can be ordered separately, meeting the same specifications as the power supplies shipped with the original units. Some models require physical keys for operation. Replacement keys are available based on the model purchased.

Wiring and Cables

A large selection of host and network cables including RS-232, RS-530, X.21, V.35, and E1 (RJ48C and BNC) are available to meet any of your networking and host management requirements. Plug-in Optical Laser Modules are available to meet short, medium, and long-range connectivity requirements.

Custom Services

Can be developed for products including algorithm upgrades and re-loads. Custom training and consulting are also available.

Layer 2 Encryption Products: Specifications


  • Datacryptor Ethernet Layer 2 and Datacryptor SONET
    • o AES 256
    • o Galois Counter Mode (GCM) frame authentication (multipoint mode)

Certifications (check latest software version for certification compliance)

  • Datacryptor Ethernet Layer 2 and Datacryptor SONET
    • FIPS 140-2 Level 3 (version 4.5)
    • Common Criteria EAL-3 (version 4.5)
    • U.S. Defense Information System Agency’s Unified Capabilities Approved Products List (UCAPL) (version 4.5)

Key Management Support

  • Datacryptor Ethernet Layer 2 and Datacryptor SONET
    • Centralized Key generation/distribution
    • Signed Diffie-Hellman Key Agreement (Elliptic Curve Diffie-Hellman version 5.0)
    • Device Authentication: X.509 Certificates
    • Hardware random number generation
    • Automatic and customizable time-triggered key change without interruption of service

Host Connectivity

  • Datacryptor Ethernet Layer 2
    • 100Mbps platform
      • RJ-45 copper 10 or 100BASE-T host and network ports
      • Serial V.24 and Ethernet management ports
    • 1Gbps platform
      • Removable RJ-45 copper (SFP) host/network ports
      • Removable multi-range and DWDM optical (SFP) duplex LC host/network ports
      • Serial V.24 and Ethernet management ports
    • 10Gbps platform
      • Removable multi-range and DWDM optical (XFP) host and network ports
      • Serial V.24 and Ethernet management ports

Additional Security Features

  • Data Integrity
    • Galois Counter Mode (GCM)
    • Extended Sequence Numbers
  • Encrypted Management Traffic (HMAC authenticated)
  • Hardware Random Number Generator
  • Firmware Signing (DSA, SHA-1)
  • Tamper Detection and Tamper Resistance
  • Secure Auditing

Datacryptor Ethernet Layer 2 Data Sheet

Datacryptor SONET/SDH Data Sheet