Banner Default Image

Next Generation KeySecure

keysecure icon

Next Generation KeySecure from Thales offers the industry’s leading enterprise key management solution, enabling organizations to centrally manage their encryption keys, protect data, and meet compliance requirements at a cost-effective price point.

Only Thales can deliver key management solutions across FIPS-validated physical appliances or virtual appliances with an external hardware root of trust using SafeNet Hardware Security Modules or Amazon Cloud HSM or Azure dedicated HSM.

next gen keysecure
  • Overview
  • Specifications
  • Features

Example Use Cases

With NG KeySecure, your organization can lower costs and scale key management that is quickly deployed for high-availability across physical, virtualized infrastructure, and service provider environments. Here are a few ways that SafeNet KeySecure is combined with our portfolio of encryptors to pair reliable encryption at the appropriate level and best-in-class key management.

Application-Level Encryption

SafeNet KeySecure + SafeNet ProtectApp encryptor

  • Centralizes administration of application encryption policy and keys
  • Protects sensitive applications in a multi-vendor infrastructure in the data center and the cloud
  • Ensures integrity and authenticity of data through digital signing and verification
  • Only authorized users can access application data

Learn more about SafeNet ProtectApp

 

Transparent Database Encryption

SafeNet KeySecure + SafeNet ProtectDB encryptor

  • Application-transparent, column-level database encryption across multi-vendor database management systems in the datacenter and in the cloud
  • Centralized policy control of data access with granular restriction options and regular key rotation
  • Segregate data within a database and meet compliance mandates

Learn more about SafeNet ProtectDB

 

File-Level Encryption

SafeNet KeySecure + SafeNet ProtectFile encryptor

  • Centralized key and policy management to meet compliance mandates
  • Performs transparent encryption of server data at rest without disruption to business operations or application performance
  • Granular access controls so unauthorized users and processes cannot access the encrypted data
  • Can be deployed on network shares, file servers, web servers, application servers, database servers, or other machines running Linux compatible software

Learn more about SafeNet ProtectFile

 

Tokenization for Sensitive Data

SafeNet KeySecure + SafeNet Tokenization encryptor

  • Tokenization replaces sensitive data (credit cards, social security numbers, etc.) with a surrogate value - a token. The sensitive data is encrypted and stored in a safe repository while the token is processed throughout the organization
  • Single, centralized interface for logging, auditing, and reporting access to protected data, keys, and tokens
  • Systems with tokens are taken out of the scope of compliance audits, such as PCI DSS
  • Format-preserving, transparent data protection for a wide variety of data types

Learn more about SafeNet Tokenization

 

Virtual Machine-Level Encryption

SafeNet KeySecure + SafeNet ProtectV encryptor

  • Complete encryption of virtual machine instances and storage volumes. No unencrypted data is written to disk
  • Support AWS Marketplace and VMware environments
  • Pre-boot authentication ensures only authorized users can access information
  • Granular access controls so unauthorized users and processes cannot access the encrypted data, meeting compliance mandates

Learn more about SafeNet ProtectV

 

Partnering with Industry Leaders

NG KeySecure supports a broad ecosystem of respected interoperability partners using the OASIS KMIP standard, including:

aws
dell
google
ibm
netapp
 

See the full list of our interoperability partners.

 

SafeNet Next Generation KeySecure Specifications

Jump to:

 

Next Generation Physical Hardware Specifications

Feature

K570

K470

Dimensions

19.0"(W)21"(D)1.75"(H)

19.0"(W)21"(D)1.75"(H)

Weight

12.7 kg(28lbs)

12.7 kg(28lbs)

Processor

Intel Xeon E3-1275v5

Intel Xeon E3-1275v5

Network Interface Card (NIC)

4x1GB or 2x10GB/2x1GB

4x1GB or 2x10GB/2x1GB

Hard Drive

1 X 2TB SATA SE (Spinning Disk)

1 X 2TB SATA SE (Spinning Disk)

Motherboard

AIC Antlia AIC Antlia

Average Power (Watts)

0.7A @120V 84W

0.7A @120V 84W

Maximum Power (Watts)

100W 100W

Voltage

100-240V 50-60Hz

100-240V 50-60Hz

Operating Ambient Temperature

0o to 35oC (32o to 95oF)

0o to 35oC (32o to 95oF)


 

Next Generation Physical Supported Technologies

Feature

Details (K570 & K470)

   

API Support

KMIP 1.1, PKCS #11, JCE, MS-CAPI, ICAPI, and.NET

Network Management

SNMP v1, v2c, and v3 SNMP (v1, v2, and v3), NTP, URL health check, signed secure logs & syslog, automatic log rotation, secured encryption and integrity checked backups and upgrades, extensive statistics.

Authentication

LDAP and Active Directory

Management Interfaces

Next Generation KeySecure Management Console: Graphical user interface (GUI) available via web browser that is capable of high-grade 128-bit encryption. JavaScript must be enabled to access all functionality available through the management console.

Command Line Interface (CLI): Command line interface (CLI) available over SSH or directly through the serial console port

Auditing and Logging

Cryptographically signed tracking of granular events. Configurable audit trail with local and remote (syslog) logging

Supported Algorithms

SafeNet NextGen KeySecure supports the following public algorithms:

  • REST
  • KMIP
  • PKCS#11
  • JCE
  • .NET
  • MSCAPI
  • MS CNG
  • NAE-XML

Operating System

Highly customized, hardened OS


 

Next Generation Physical Model Comparison

Feature

k570

k470

Max keys

1,000,000

1,000,000

Max concurrent clients

1,000

1,000

Redundant hot-swap HDs & Power

Yes

Yes

FIPS Certification

Level 2 compatible chassis

Level 3 Certified HSM Card in Appliance

Level 2 compatible chassis

HSM Management*

Yes Yes

SafeNet Crypto Pack**

Optional

Optional

SafeNet ProtectV Integration

Yes Yes

SafeNet ProtectApp Integration

Yes

Yes

SafeNet ProtectFile Integration

Yes

Yes


 

Next Generation Virtual KeySecure Specification

Feature

k470v

k170v

Max Keys

1,000,000

25,000

Max concurrent clients per cluster

1,000

100

FIPS 140-2 Support

FIPS Compliant to level 1

Additional: Level 3 support with External HSM as Root of Trust

FIPS Compliant to level 1

Additional: Level 3 support with External HSM as Root of Trust

SafeNet Data Protection Portfolio

Supported

Supported

System Requirements*

HD: 200GB or more

RAM: 16 GB or more

NICs: 2 or more

CPU: 4 or more

HD: 100GB

RAM: 4-8 GBB

NICS: 1 -2

CPU: 2 or more

Use Case**

High transaction environments Low-Medium transaction environments


 

Next Generation Virtual Keysecure Supported Technologies

Feature

Details (k470v & k170v)

   

API Support

REST, KMIP, PKCS#11, JCE, .NET, MSCAPI, MS CNG, NAW-XML

Network Management

Secure audit logs, Secured and integrity checked backups, In place upgrades

Authentication

LDAP and Active Directory

Auditing and Logging

Cryptographically signed tracking of granular events. Configurable audit trail with local and remote (syslog) logging.

Supported Algorithms

AES, TDES, RSA, HMAC-SHA1, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512

Operating System

Next Generation KeySecure is an encrypted application that is self-contained (including all operating system level libraries/modules). All encryption keys and managed objects (certificates, secrets, etc.) are stored in an encrypted vault within the appliance, providing customers with a reinforced, secure way to access and centralize key management in the enterprise.

Centralized Key Management:

Simplified Management Console: GUI provides a clean, simple, user-friendly experience for commonly used functions like key management, user groups and permissions, and audit log review.

Consolidated Key security policies: across multiple, disparate encryption systems, protecting current investments.

Centralized, efficient auditing: of key management and licensing of the Data Protection Portfolio offers simplified compliance for cloud environments and decreases the amount of time spent on compliance mandates.

Host Anywhere:

Additional hosting options – Virtual KeySecure images are provided for VMware, AWS, Microsoft Azure, OpenStack, Microsoft Hyper-V and Google Cloud Enterprise, with more public/private clouds coming soon.

Standards Compliance:

  • Built-in Hardware Security Module (HSM) shipped with the k570 physical appliance, which provides cryptographic acceleration and a high assurance FIPS Certified root of trust.
  • Expanded HSM Integration: Virtual KeySecure continues to offer integration with the FIPS-2 compliant Luna HSM portfolio, and also supports Data Protection on Demand (DPoD), AWS HSM and Azure Dedicated HSM. It helps secure backups with HSM binding.

Interoperability:

  • REST APIs: Available for developers to automate key management capabilities using DevOps tools such as, Ansible/Puppet/Chef. Combined with KMIP, PKCS#11, and other APIs, it supports standards based integration with a diverse range of third-party products (including BYOK for Public Cloud).

  • Heterogeneous Key Management: Securely encrypts structured data such as credit cards or social security numbers.

  • Support of the SafeNet Data Protection Portfolio provides new customers with a broad spectrum of use cases, and existing KeySecure customers the ability to migrate to the new platform seamlessly.

Flexibility:

  • Adaptable HA Clustering: Ability to pair a physical appliance with a virtual appliance for high availability configurations to lower cost and make it easy for lift and shift cloud migrations. Configurations can optionally include HSM as root of trust.
  • Multiple Key Types: Manage Symmetric and Asymmetric Key types as well as secret data and certificates (along with associated policies).
  • Subscription-based offerings: that are better suited for operating expenditure (op-ex) models, versus capital expenditure models (standard hardware purchases) that require upfront payment.