Secure Keys and Secrets on any Device

The first software-only solution that lets you build a virtual secure enclave directly into the application layer and allow high trust operations from insecure devices


Deployment options
Technical Specifications

Enable Secure Transactions from Insecure Devices.
Any App. Any Device. Any Use Case

Unbound Crypto-of-Things (CoT) ensures that your apps are secure regardless of the security posture of the device on which they’re deployed. A unified, single API is used to deploy a virtual root of trust that protects crypto keys at the application level, ensuring they cannot be compromised, cloned or tampered even if the device is infected by malware or controlled by an adversary.

Completely abstracted from underlying hardware, CoT can be deployed on any endpoint device and platforms; from IoT and mobile to laptops and even application servers and containers in the cloud or data center. Enable high trust operations like document signing, payments, blockchain transactions and authentication from any endpoint device.



Centralized management

Tamper-proof, real-time auditing

Automated, streamlined provisioning

Intuitive, easy-to-use, crypto-agile API



Immune to malware & client-side attacks

Keys can’t be compromised, cloned or tampered with

Secures crypto keys for ALL use cases

Eliminating the Single Point of Compromise

Drawing its strength for Unbound’s vHSM technology, Unbound is different than traditional software-based schemes that use the private key and either keep it in memory or attempt to obfuscate it. Instead, with Unbound, secrets can be accessed and used by the applications without ever exposing the key or secret material in the clear at any point in its lifecycle. Key material is never whole. Rather, each key exists as two random key shares, separated completely: one share on the device and one share on a remote server.

The inherent separation between and endpoint device and a remote server stretches the secure boundary far beyond the traditional physical casing of the device, ensuring that keys on endpoint devices remain secure at all times, even in the presence of malware or malicious actor fully controlling the endpoint device.

( Learn How )

Unbound Crypto-of-Things (CoT)
Any App. Any Device. Any Use Case.

Central Management and Real Time Tamper Proof Audit Trail

Unbound CoT requires communication between the endpoint and the CoT server for performing any crypto operation. Thus, the CoT server includes real time tamper-proof audit log of any crypto operation performed on the endpoint, allowing detection of crypto key usage anomalies in real time.

Instant Revocation

In case an endpoint is suspected as compromised, Unbound CoT allows ultimate control by ensuring instant revocation of any crypto key that is secured with CoT. Deletion of the relevant key share on the CoT server immediately renders the key useless, ensuring that any assets protected by this key are safe.

Brute-force Proof Authentication Factors

Unbound CoT provides various authentication factors that can be used to authorize any usage of the cryptographic key. The authentication takes place using MPC algorithm between the endpoint and the CoT server, thus preventing brute force attacks on the endpoint side.

Seamless Integration

Unbound CoT is very simple to integrate within your applications, with a simple, intuitive and easy to use SDK. The software is very lightweight and integrates with virtually any device, including laptops, mobile, wearables and other IoT devices.

Future-ready and Agile Cryptography

Unbound CoT is future-ready, so your cryptography infrastructure can be too. With the emergence of Quantum Computing, Blockchain, and crypto vulnerabilities, changes in crypto are faster than ever. Unbound provides a crypto-agile system that ensures you will be up and running the latest crypto, with update cycles measured in days to weeks, not months or years.

Architecture: Non-continuous Secure Boundary

Each Unbound CoT system is comprised of a central server (CoT server) that is installed and managed by the customer. Various endpoint devices that run CoT software (CoT library) connect to the CoT server, creating a series of pairs – where each pair consists of a single endpoint device and the CoT server. Each of the pair nodes hold one share of a key. Together, CoT software on the device and the CoT server form the secure boundary of Unbound CoT.

Applications on the device use the CoT library API for consuming cryptographic service for the keys that are managed within the library, effectively creating a virtual secure enclave on the device. All connections between CoT devices to the CoT server are protected using server authentication (TLS). Key shares are constantly refreshed, so in order to maliciously obtain key material an attacker must compromise both the device and the CoT server simultaneously.

Secured By a Root of Trust

Root of Trust for Any Endpoint Device

Unbound CoT completely abstracts the underlying hardware, effectively enhancing any endpoint device with a virtual root of trust that has a unified, single API used among all devices and platforms supported. In addition, the CoT utilizes secure hardware if such exist on the device, to provide even higher level of security.

Root of Trust for Applications and Containers in the Cloud and Data Center

Unbound CoT effectively creats a virtual root of trust for any application, server or container in the cloud or data center. In addition, the CoT utilizes secure hardware such as a TPM or Intel Software Guard Extensions (SGX) if such exist on the endpoint, to provide even higher level of security.

Security That Goes Beyond

The CoT limitless Secure Boundary adds a newly created dimension to security architectures. The inherent separation between and endpoint device and a remote server stretches the secure boundary far beyond the traditional physical casing of the device, ensuring that keys on endpoint devices remain secure at all times, even in the presence of malware or malicious actor fully controlling the endpoint device.

Operating Systems and Platform

Component Device Type Supported Operating Systems
Cot Endpoint Mobile (smartphones, tablets, wearables) Android, iOS
Desktop/laptop Windows , Mac, Linux
Virtual/physical server, container Linux, Windows
CoT Server Virtual/physical server Linux, Windows

API Support

  • Mobile: Simple and easy to use SDK
  • Desktop/laptop/server: PKCS#11, Java (JCE) Microsoft CNG, OpenSSL


  • Full Suite B support
  • Asymmetric: RSA (2048, 3072, 4096), Elliptic Curve Cryptography with P256 | P384 | P521 curves
  • Symmetric: AES (128, 256)
  • Hash/HMAC: SHA-256, SHA-384
  • Additional modules: Secure password verification using PIN/Native biometrics, Post-Quantum Crypto (PQC), cryptocurrency and blockchain, generic secrets

Endpoint Additional Authentication

  • Device-native fingerprint
  • Face Recognition
  • SAML
  • PIN, password

Leverage On-Device Secure Hardware for Additional Protection

  • Mobile: iOS secure element, Android TEE
  • Desktop/laptop/server: TPM, TXT, SGX

High Availability

  • Active/Active and Active/Passive modes (with external load balancer)

Management and Administration

  • Command Line Interface (CLI)
  • Management REST API
  • Full multi-tenancy support with cryptographically isolated domains

Performance Specifications

  • Cryptographically isolated domains: up to 10,000
  • Maximum total endpoints for all tenants commutatively: up to 250,000,000
  • Keys: bound by disk space only
  • Capacity in transactions per second (TPS) for sample configurations:
Basic Unit Sample ‘S’ Cluster Sample ‘M’ Cluster Sample ‘L’ Cluster
1 pair of servers,
1 core per server
1 pair of servers,
2 cores per server
2 pairs of servers,
4 cores per server
4 pairs of servers,
8 cores per server
RSA-2048 100 200 800 3200
ECIES P256 100 200 800 3200
AES-GCM 128 single block 200 400 1600 6400

Capacity is derived from the number of CPU cores in the CoT server cluster. Scaling the Basic CoT server unit is done by scaling up or scaling out, and is fully linear, as illustrated in the sample clusters above

Protect and Manage Keys On Any Device

MPC Primer

Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.

( Download )

How to Go Beyond BYOK with CYOK

Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.

( Watch )

Unbound Key Control

Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.

( Download )

Securing Data in Multi-Cloud Environments

Learn more about how two major banks are using Unbound to reinvent data reinvent data protection in the Digital Banking age.

( Watch )