CyberVault KMS
In modern cyber security architectures, cryptographic keys are the foundation of trust.
"Encryption is only as secure as its cryptographic keys." - IBM
As enterprises expand across hybrid and multi-cloud infrastructures, key lifecycle management becomes increasingly complex. A single missing control in key generation, storage, or rotation can compromise the entire security strategy of a company.
Securosys CyberVault KMS Overview
The CyberVault KMS is the enterprise key management platform developed by Securosys. It unifies key governance, cryptographic operations, and certificate management into a single user interface, while offering a broad range of APIs for business applications, and while keeping all sensitive material inside a certified Primus HSM.
CyberVault KMS adheres to the best-practice recommendations outlined by SSL.com, OWASP, and BSI - Key Management Software , including:
- Tamper-proof hardware: Keys are generated and stored only within FIPS- and CC-certified HSMs.
- Lifecycle governance: Supports creation, activation, rotation, deactivation, and secure destruction.
- Policy-driven usage control: Smart Key Attributes (SKA) enforce per-key approval workflows and business rules.
- Separation of duties: Role-based access control (RBAC) with dual control for sensitive actions.
- Audit: Every key event and policy change is logged for compliance and traceability.
- Interoperability: Multi-protocol support (REST, KMIP, PKCS#11, MSCNG, JCE) ensures seamless integration with business applications.
- Post-Quantum readiness: Native support for NIST-standardized PQC algorithms (ML-DSA, ML-KEM, SLH-DSA).
Architecture Overview
The CyberVault KMS is composed of four interdependent components. While each component has its own deployment and scaling considerations, they rely on one another to function. The HSM Cluster forms the cryptographic foundation, the REST API (TSB) is required before the Key Manager UI can operate, and the Key Manager UI must be running before the KMIP Server can be configured.
| Component | Description |
|---|---|
| Key Manager UI | Web-based management console for keys, certificates, policies, and compliance monitoring. Provides a dashboard with real-time HSM metrics, lifecycle actions, approval workflows, and audit visibility. |
| REST API (TSB) | Programmatic interface for automation and system integration. Supports fine-grained access control and audit logging. |
| KMIP Server | Key Management Interoperability Protocol (KMIP) endpoint for application integration. The Key Manager UI is needed to issue client credentials for the KMIP Server. |
| HSM Cluster | Certified hardware providing the cryptographic root of trust, redundancy, and scalability. Keys are generated and used within this secure boundary. |
Why Key Management Matters
- Keys are the true secrets as they perform decryption, signing, and authentication. Once exposed, encrypted data or digital identities are no longer secure.
- A key's lifecycle of generation distribution storage usage rotation revocation/destruction, is vulnerable to different attacks. Therefore, safety measures need to be taken for each step.
- Regulatory frameworks (e.g., PCI DSS, GDPR, ISO 27001, NIST SP 800-57, BSI TR-02102) mandate proper key control, logging, rotation, and hardware protection.
- The emergence of quantum computing threatens classical algorithms (RSA, ECC). Organizations must assess their cryptographic posture and plan migration to quantum-safe algorithms.
- Without a strong KMS, key sprawl leads to operational vulnerabilities, compliance risk, and loss of sovereignty in cloud environments.
- A well-designed KMS enforces policies, ensures consistent governance, and provides auditable control over every key operation.
Benefits
| Area | Description |
|---|---|
| Centralized Control | Unified key, certificate, and secret management through one interface. |
| Hardware Trust Anchor | All keys reside within Securosys Primus HSMs - never exposed in software. |
| Lifecycle Governance | Full lifecycle visibility and automation: generation, rotation, revocation, and destruction. |
| Approval Workflows | Enforced via Smart Key Attributes (SKA) to reduce insider risk and support dual control. |
| Post-Quantum Readiness | Native support for NIST PQC standards (ML-DSA, ML-KEM, SLH-DSA) with built-in PQC readiness assessment. |
| Compliance & Audit | Continuous audit logging and compliance assessment against NIST SP 800-57, ISO 27001, and BSI TR-02102 requirements. |
| Flexible Deployment | Available on-premise, hybrid, or in the cloud, with integration into major IAM systems (OAuth 2.0, LDAP, AD). |
| High Availability | HSM clustering provides redundancy and fault-tolerance for mission-critical applications. |
| Multi-Tenancy | Partition-based isolation with per-user credentials and role-based delegation for multi-organization environments. |
Next Steps
The rest of this documentation section is dedicated to the Key Manager UI. The Key Manager UI is the administrative, operational, and monitoring layer of the CyberVault KMS.
- Explore the user-facing feature set of the Key Manager UI.
- Learn how the Key Manager UI works internally and its architecture.
- Deploy the Key Manager UI with Docker or Kubernetes.
Related
To deploy the full CyberVault KMS stack, follow the component guides in the recommended order:
- HSM Cluster the cryptographic foundation. All other components depend on a running HSM Cluster.
- REST API (TSB) must be deployed before the Key Manager UI, as the UI relies on TSB to communicate with the HSM.
- Key Manager required by the KMIP Server.
- KMIP Server requires the Key Manager UI to be running, as client credentials for KMIP authentication are issued through it.