Unbound Key Control
With Unbound Key Control you can, for the first time, control, manage, and protect secrets across any distributed infrastructure from a single pane of glass.
Full lifecycle key management
Manage any key, anywhere: on-premises and private/public cloud
Central management of keys and certificates
Hardware Security Module (Virtual HSM)
Supports all standard crypto APIs
Supports all standard keys and algorithms
Stretching the Boundaries of Traditional Key Protection
Unbound Key Control (UKC) ensures that your most sensitive keys never exist in the clear at any point in their lifecycle – not even when generated, while in use or while at rest. With Unbound’s virtual HSM technology, key material is never whole – not in memory, disk or network.
By eliminating this single point of compromise, UKC can stretch the secure boundary far beyond the traditional physical casing.
No More Silos - One System to Manage Them All
Unbound’s combined virtual HSM and Key Management solution provides full key lifecycle management from generation, to usage, revocation, rotation, and backup. It supports all standard HSM crypto APIs and enables seamless integration with all KM systems. This pure software solution protects and manages all keys from all on-premises or cloud workloads and from any cloud service provider (CSP). Use Unbound Key Control to manage and sync all your keys across sites and workloads through one central management system.
Empower the needs of SecOps in
in Any Organization
Unbound Key Control empowers the SecOps team with a fully-outfitted infrastructure for highly efficient key management and protection. This all-in-one key management plus virtual HSM solution saves SecOps the time and effort of integrating multiple products, by combining every critical feature to the SecOp workflow, including: granular policy enforcement, monitoring and auditing, resource management, administration and configuration of role-based access control, backup and durability.
What's Made Possible with Unbound Key Control?
Elastic and Scalable
Fully elastic and scalable enterprise key management lets you quickly adapt to meet your changing needs. Stay up to date and running the latest crypto, with update cycles measured in days.
Transparent and Seamless Integration
Completely transparent and easily deployed without disrupting the existing workflow of applications. Support all industry standard HSM and Key Management APIs, as well as all standard crypto algorithms.
Easy Operation and Automation
With CLI and REST APIs included, you can fully automate system installation, deployment, ongoing operation, and management, saving you and your team from spending precious time on labor-intensive tasks.
Future-ready and Agile Cryptography
Unbound Key Control is future-ready, so your cryptography infrastructure can be too.
With crypto vulnerabilities uncovered regularly and the emergence of Quantum Computing, Blockchain, changes in crypto are happening faster than ever. Unbound provides a crypto-agile system that ensures you will be up and running the latest crypto, with update cycles measured in days to weeks, not months or years.
Secured Management and Administration
Unbound Key Control allows you to customize granular admin authorization and access management policies in multiple ways. For example, you can define a minimum number of admins who must work in unison on high-security operations. Or add another layer of access security at the application level, in addition to server authorization.
Get the full details of every decrypt or signing operation in real time whenever a key is used. Receive detailed logs that include: operation type, date and time, the servers from which the request was made, and the authorizing users. The logs can be exported to third-party tools, such as SIEM.
Architecture - Non-continuous Secure Boundary
Unbound Key Control (UKC) is comprised of one or more pairs of standard servers that are installed and managed by the customer. Each of these pairs is comprised of an Entry Point node and a Partner node that each hold one share of a key. Together, these servers form the secure boundary of UKC. Application servers within the network connect to the entry point for consuming cryptographic services for the keys that are managed within UKC.
The UKC Secure Boundary adds a newly created dimension to security architectures, creating endless options for separation of the UKC nodes such as:
Separate locations/entities, e.g. networks, geographical locations, cloud availability zones etc.
Separate credentials and access controls
Separate software stacks (e.g. different operating systems)
Key Management for Cloud,
On-premises and Hybrid Environments
Based on the first technology to truly abstract key management, Unbound Key Control (UKC) can be deployed on any standard platform, including physical/virtual machines and containers. This gives you the flexibility to choose the location of the nodes of the UKC and to create a deployment that meets your unique requirements.
Transparent Integration & Automation of the Key Management Infrastructure
Unbound Key Control can be deployed easily without disrupting the existing workflow of applications.
Supports full key lifecycle management
Fully transparent to the calling application and supports all crypto APIs
Allow full automation using CLI and REST APIs
Operating Systems and Platforms
- Windows, Linux
- Any standard virtual/physical machine
- Cloud IaaS: All cloud service providers including AWS, Azure, Google Cloud Platform, SoftLayer
- PaaS and Containers: Docker, Kuberentes, Pivotal Cloud Foundry
- PKCS #11, Java (JCE) Microsoft CNG, OpenSSL, REST
- KMIP server providing KMIP services to any KMIP client up to KMIP 1.3 inclusive
- Full Suite B support
- Asymmetric: RSA (2048, 3072, 4096), Elliptic Curve Cryptography with P256 | P384 | P521 curves
- Symmetric: AES (key sizes: 128, 256; modes: SIV, XTS, ECB, CBC, OFB, CFB, CTR, CCM, GCM, NIST_WRAP, CMAC, GMAC), Triple DES (modes: ECB, CBC, OFB, CFB, CTR)
- Hash/HMAC: SHA-256, SHA-384
- Generic secret management
- Additional modules: Application level encryption (OPE/FPE/Tokenization), password verification, Post Quantum Crypto (PQC), cryptocurrency and blockchain
- Server-level authentication: using a client certificate, mutually authenticated TLS 1.2
- Application-level authentication (optional): SAML authentication scheme, Active Directory
- Active/Active and Active/Passive modes (with external load balancer)
- Automated load balancing by UKC client
Management and administration
- Browser-based admin console
- Command line interface (CLI)
- Comprehensive management REST API
- Full backup and restore functionality, no additional devices required
- Highly-configurable role based access control (RBAC) model
- Multi-admin and quorum authentication – supported remotely over LAN/WAN, no physical access is needed
- Cryptographically isolated partitions: up to 100,000,000
- Maximum total endpoints for all tenants commutatively: up to 250,000,000
- Keys: Virtually unlimited, bound by disk space only
- Simultaneous connected hosts: up to 20,000
- Capacity in transactions per second (TPS) for sample configurations:
|Basic Unit||Sample ‘S’ Cluster||Sample ‘M’ Cluster||Sample ‘L’ Cluster|
|1 pair of servers,
1 core per server
|1 pair of servers,
2 cores per server
|2 pairs of servers,
4 cores per server
|4 pairs of servers,
8 cores per server
|AES-GCM 128 single block||200||400||1600||6400|
Capacity is derived from the number of CPU cores in the UKC cluster. Scaling the Basic UKC Unit is done by scaling up or scaling out, and is fully linear, as illustrated in the sample clusters above
- Apache HTTP Server
- Java Applications
- Stiftung Secure Information and Communication Technologies (SIC) IAIK Provider for Java™ Cryptography Extension (IAIK-JCE)
- OpenSSL Toolkit
- Oracle Database
- Oracle TDE (Transparent Database Encryption)
- Oracle WebLogic Server
- Ping Identity PingFederate v6.4
- Ping Identity PingFederate v7.2.1
- Brocade BES (Brocade Encryption Switch), Brocade FS8-18 Encryption Blade
- CipherCloud Cloud Encryption Gateway
- IBM B2B Integrator
- IBM DataPower Gateway
- IBM DB2
- IBM HTTP Server/Websphere Application Server
- IBM SoftLayer
- IBM WebSphere Application Server
- IBM XIV
- IBM A9000/A9000R
- IBM QRadar
- IBM Security Access Manager (ISAM) for Web
- IBM TAM eBusiness
- HashiCorp Vault
- Quantum Scalar (i6000, i500, i40/80)
- Teradata Database
- VMware vSAN
- VMware vSphere VM Encryption
- Microsoft Active Directory Certificate Services
- Microsoft Internet Information Services (IIS) for Windows Server 2012/2008 R2
- Microsoft SQL Server 2008/2012
- Microsoft ADCS (Automated Data Capture System) for Windows Server 2016/2012/2008 R2
- Microsoft OCSP (Online Certificate Status Protocol) for Windows Server 2016/2012/2008 R2
- Microsoft HGS (Host Guardian Service) and SVM (Shielded Virtual Machine)
- Microsoft SQL Server 2016 Always Encrypted
- Microsoft Windows Server NDES (Network Device Enrolment Service)
- Microsoft Authenticode for Windows Server 2008 R2
Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.
How to Go Beyond BYOK with CYOK
Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.
Unbound Key Control
Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.