Features
This page gives an overview of the features available in the Securosys Key Manager UI.
Dashboard
The dashboard provides a real-time overview of the HSM state, including key and certificate counts by type, storage utilization, HSM vendor and version information, and a compliance alert summary.
| Feature | Description |
|---|---|
| Key & Certificate Metrics | Total keys, certificates, private keys, secret keys, data objects, and invalidated keys at a glance. |
| HSM Information | Vendor, API version, active partition, and HSM system time. |
| Keystore Overview | Visual distribution of key types (private, secret, public, certificates). |
| Storage Monitoring | Used, available, and maximum HSM storage with color-coded capacity indicators. |
| Compliance Insights | Summary of compliance alerts by severity (critical, warning, info) with direct link to the Compliance module. |
| License Status | Display of enabled HSM client flags and feature availability. |
General
These features cover the foundational aspects of the Key Manager UI, including how users authenticate, manage secrets, and work in a multi-tenant environment.
| Feature | Description |
|---|---|
| Authentication | Supports OAuth 2.0 via Microsoft Entra ID, GitHub, Keycloak, and local HSM Authentication with optional TOTP-based two-factor authentication. |
| Role-Based Access Control | Three roles - Admin (full access, user management), User (standard operations), Readonly (read-only access). |
| Secrets Management | Create and manage HSM data objects alongside cryptographic keys. |
| Multi-Tenancy Support | Partition-based isolation with runtime partition switching. Per-user credentials stored in HSM data objects, Azure Key Vault, or GCP Secret Manager. |
| Multi-Language | Available in English and German with runtime language switching. |
| API Access Keys | Manage Key Management, Approver Management, and Service API keys from the Security Settings page. |
Key Management
Key management capabilities allow users to create, inspect, modify, and lifecycle-manage cryptographic keys. This includes symmetric, asymmetric, and post-quantum algorithms, as well as policies, attestation, and secure deletion.
| Feature | Description |
|---|---|
| Create Symmetric | AES, Camellia, ChaCha20, TDEA, HMACSHA256 |
| Create Asymmetric | RSA, DSA, ECDSA, EdDSA, BLS, ISS |
| Create Post-Quantum | ML-DSA, ML-KEM, SLH-DSA, LMS |
| Key Policy | Rule Use, Block, Unblock, Modify |
| Inspect | Algorithm, Key Usage Count, Status, Created, OIDs, Size, Certificate, Attributes, Key Policy |
| Modify | Attributes, Policies, Password, Rename |
| Export | PKCS12, Plain, XPUB |
| Import | PrivateKey, PublicKey, SecretKey, PKCS12, Seed, xPub (available formats vary by algorithm) |
| Derive | EC, ED (BIP32 derivation) |
| Rotate | Symmetric, Asymmetric (with optional certificate rollover: self-signed, CSR-based, or certificate import) |
| Attestation | Generate and verify key origin |
| Delete | Secure deletion and decommissioning of keys (single and bulk) |
Certificate Management
Certificate management provides tools to create, issue, import, and securely manage certificates for cryptographic operations, ensuring trust and authenticity in digital communication.
| Feature | Description |
|---|---|
| Create Self-Signed | Create self-signed certificates with Validity, Standard Certificate Attributes, Key Usage, Extended Key Usage, Subject Alternative Name, and Certificate Authority |
| Create Issued | Issue certificates with Validity, Standard Certificate Attributes, Key Usage, Extended Key Usage, Subject Alternative Name, and Certificate Authority |
| Generate CSR | Create Certificate Signing Requests (CSRs) with Validity, Standard Certificate Attributes, Key Usage, Extended Key Usage, Subject Alternative Name |
| Certificate Profiles | Built-in profiles (WebServer TLS, Client Authentication, Code Signing, CA Certificate) and custom profile creation for streamlined certificate issuance |
| Import | Import existing certificates into the HSM |
| Delete | Securely delete certificates from the HSM |
KMIP User Management
The Key Manager UI includes management of KMIP users, enabling secure generation of mTLS authentication and certificate-based access control.
| Feature | Description |
|---|---|
| Create KMIP User | Create a KMIP user with mTLS certificate & private-key export (PKCS12) |
| Delete KMIP User | Securely remove a KMIP user from the system |
Approver Management
Approver management enables fine-grained access control for critical workflows using SKA policies, including onboarding and managing approvers together with the Securosys Authorization App.
| Feature | Description |
|---|---|
| View Approver Status | Check approver status (ONBOARDED, PENDING) |
| Create Approver | Register a new approver for SKA workflows |
| Onboard Approver | Enroll approvers via QR code with the Securosys Authorization App |
| Renew One-Time Code | Generate a new one-time code for the Securosys Authorization App |
| Delete Approver | Remove an approver from the system |
| SKA Profiles | Create and manage custom approval policy profiles with configurable approval groups, quorum (M-of-N), timelock, and timeout constraints |
User Management
The Security tab gives options to users and administrators on managing their own or other users' accounts.
| Feature | Description |
|---|---|
| User Details | An overview of the logged in user, including Role, 2FA status and last login |
| Two-Factor Authentication | Enable or disable TOTP-based 2FA for your own user, with QR code enrollment for authenticator apps (Google Authenticator, Authy) |
| User Management | Creation of new users, role assignment (Admin, User, Readonly), and enable/disable accounts - Available only for Administrators |
Discovery
The Discovery tab scans preconfigured hosts to identify existing TLS certificates and evaluate their security posture.
| Feature | Description |
|---|---|
| Certificate Scanning | Scan configured hosts and subnets for TLS certificates with expiration tracking |
| TLS Version Check | Detect weak TLS versions (SSLv2, SSLv3, TLS 1.0, TLS 1.1) |
| Cipher Suite Validation | Flag weak cipher suites (RC4, DES, 3DES, NULL, etc.) |
| Forward Secrecy | Check for ECDHE/DHE support |
| Self-Signed Detection | Identify self-signed certificates |
Compliance
The Compliance module provides cryptographic posture assessment, regulatory compliance checks, and HSM partition log analysis.
| Feature | Description |
|---|---|
| PQC Readiness Assessment | Classify keys as quantum-safe, quantum-vulnerable, or quantum-resistant with migration recommendations |
| Regulatory Compliance | Assess key and certificate compliance against NIST SP 800-56B, NIST SP 800-131A, ISO/IEC 27001, and BSI TR-02102 |
| Certificate Expiration Monitoring | Detect upcoming certificate expirations and key age violations |
| Log Analysis | Structured HSM partition log viewer with audit dashboards, key-usage analytics (sign/verify/encrypt/decrypt/wrap/unwrap), and anomaly detection |
Self-Test
The Self-Test module validates cryptographic operations across all supported algorithms to ensure correct HSM functionality.
| Feature | Description |
|---|---|
| Algorithm Validation | Test key creation, signing, verification, encryption, decryption, and wrap/unwrap across RSA, AES, EC, EdDSA, and all PQC algorithms |
| Key Derivation Test | Validate BIP32 master key creation and child key derivation |
| Certificate Operations | Test CSR generation, self-signed certificate creation, and certificate signing |
| Approver Operations | Validate approver creation and SKA workflow operations |
AI Chat Assistant
The optional Chat Assistant provides natural language interaction with HSM operations via the Model Context Protocol (MCP).
| Feature | Description |
|---|---|
| LLM Provider Support | Configurable providers: Anthropic Claude, OpenAI GPT, Google Gemini, and local LLMs (Ollama, LM Studio, vLLM) |
| Context-Aware Assistance | Suggestions based on available keys, certificates, and HSM state |
| Runtime Provider Switching | Switch between LLM providers without restarting the application |