Unbound Key Control

All-in-One Software Solution

A powerful combination of key management and virtual HSM, at the highest level of security

( Schedule A Demo )

Complete the following fields:

Unbound Key Control

All-in-One Software Solution

A powerful combination of key management and virtual HSM, at the highest level of security

( Start a Free Trial in Azure’)

Deployment options
Technical Specifications

Unbound Key Control

With Unbound Key Control you can, for the first time, control, manage, and protect secrets across any distributed infrastructure from a single pane of glass.



Full lifecycle key management

Manage any key, anywhere: on-premises and private/public cloud

Central management of keys and certificates

 FIPS 140-2 Level 2 Validated
Virtual Hardware Security Module (Virtual HSM)


Hardware-level security

Supports all standard crypto APIs

Supports all standard keys and algorithms

Stretching the Boundaries of Traditional Key Protection

Unbound Key Control (UKC) ensures that your most sensitive keys never exist in the clear at any point in their lifecycle – not even when generated, while in use or while at rest. With Unbound’s Distributed Trust Platform, key material is never whole – not in memory, disk or network.

By eliminating this single point of compromise, UKC can stretch the secure boundary far beyond the traditional physical casing.

( Learn More )

Virtualize Key Control with our NextGen vHSM®

Manage your keys, automate them, and operate them – from anywhere.

Unbound’s NextGen vHSM® provides the same security as traditional HSM systems – with none of the operational headaches.

Try it out for yourself in a 10-minute interactive demo.

No More Silos - One System to Manage Them All

Unbound’s combined virtual HSM and Key Management solution provides full key lifecycle management from generation, to usage, revocation, rotation, and backup. It supports all standard HSM crypto APIs and enables seamless integration with all KM systems. This pure software solution protects and manages all keys from all on-premises or cloud workloads and from any cloud service provider (CSP). Use Unbound Key Control to manage and sync all your keys across sites and workloads through one central management system.

Empower the needs of SecOps in
in Any Organization

Unbound Key Control empowers the SecOps team with a fully-outfitted infrastructure for highly efficient key management and protection. This all-in-one key management plus virtual HSM solution saves SecOps the time and effort of integrating multiple products, by combining every critical feature to the SecOp workflow, including: granular policy enforcement, monitoring and auditing, resource management, administration and configuration of role-based access control, backup and durability.

Elastic and Scalable

Fully elastic and scalable enterprise key management lets you quickly adapt to meet your changing needs. Stay up to date and running the latest crypto, with update cycles measured in days.

Transparent and Seamless Integration

Completely transparent and easily deployed without disrupting the existing workflow of applications. Support all industry standard HSM and Key Management APIs, as well as all standard crypto algorithms.

Easy Operation and Automation

With CLI and REST APIs included, you can fully automate system installation, deployment, ongoing operation, and management, saving you and your team from spending precious time on labor-intensive tasks.

Future-ready and Agile Cryptography

Unbound Key Control is future-ready, so your cryptography infrastructure can be too.
With crypto vulnerabilities uncovered regularly and the emergence of Quantum Computing, Blockchain, changes in crypto are happening faster than ever. Unbound provides a crypto-agile system that ensures you will be up and running the latest crypto, with update cycles measured in days to weeks, not months or years.

Secured Management and Administration

Unbound Key Control allows you to customize granular admin authorization and access management policies in multiple ways. For example, you can define a minimum number of admins who must work in unison on high-security operations. Or add another layer of access security at the application level, in addition to server authorization.

Context-Based Auditing

Get the full details of every decrypt or signing operation in real time whenever a key is used. Receive detailed logs that include: operation type, date and time, the servers from which the request was made, and the authorizing users. The logs can be exported to third-party tools, such as SIEM.

Architecture - Non-continuous Secure Boundary

Unbound Key Control (UKC) is comprised of one or more pairs of standard servers that are installed and managed by the customer. Each of these pairs is comprised of an Entry Point node and a Partner node that each hold one share of a key. Together, these servers form the secure boundary of UKC. Application servers within the network connect to the entry point for consuming cryptographic services for the keys that are managed within UKC.

Architecture - Non-continuous Secure Boundary

The UKC Secure Boundary adds a newly created dimension to security architectures, creating endless options for separation of the UKC nodes such as:

Separate locations/entities, e.g. networks, geographical locations, cloud availability zones etc.

Separate credentials and access controls

Separate software stacks (e.g. different operating systems)

Key Management for Cloud,
On-premises and Hybrid Environments

Based on the first technology to truly abstract key management, Unbound Key Control (UKC) can be deployed on any standard platform, including physical/virtual machines and containers. This gives you the flexibility to choose the location of the nodes of the UKC and to create a deployment that meets your unique requirements.

Key Management for Cloud

Transparent Integration & Automation of the Key Management Infrastructure

Unbound Key Control can be deployed easily without disrupting the existing workflow of applications.

Supports full key lifecycle management

Fully transparent to the calling application and supports all crypto APIs

Allow full automation using CLI and REST APIs

Operating Systems and Platforms

  • Windows, Linux
  • Any standard virtual/physical machine
  • Cloud IaaS: All cloud service providers including AWS, Azure, Google Cloud Platform, SoftLayer
  • PaaS and Containers: Docker, Kuberentes, Pivotal Cloud Foundry

API Support

  • PKCS #11, Java (JCE) Microsoft CNG, OpenSSL, REST
  • KMIP server providing KMIP services to any KMIP client up to KMIP 1.3 inclusive


  • Full Suite B support
  • Asymmetric: RSA (key sizes: 2048, 3072, 4096; modes: RAW,
    PKCS1, PSS, OAEP), Elliptic Curve Cryptography (ECDH with
    P256 | P384 | P521 curves, ECDSA with P256 | P384 | P521 |
    SECP256K1, EdDSA with ed25519 curve, ECPRF/ECPWD with
    P256, Schnorr signatures over SECP256K1)
  • Symmetric: AES (key sizes: 128, 256, 512; modes: SIV, XTS, ECB, CBC,
    DES (key size: 168; modes: ECB, CBC, OFB, CFB, CTR)
  • Hash/HMAC: SHA (SHA-1, SHA-256, SHA-384, SHA-512), HMAC (128-256)
  • Generic secret management
  • Additional modules: Application level encryption (OPE/FPE/Tokenization), password verification, Post Quantum Crypto (PQC), cryptocurrency and blockchain

Host Authentication

  • Server-level authentication: using a client certificate, mutually authenticated TLS 1.2
  • Application-level authentication (optional): SAML authentication scheme, Active Directory

High Availability

  • Active/Active and Active/Passive modes (with external load balancer)
  • Automated load balancing by UKC client

Management and administration

  • Browser-based admin console
  • Command line interface (CLI)
  • Comprehensive management REST API
  • Full backup and restore functionality, no additional devices required
  • Highly-configurable role based access control (RBAC) model
  • Multi-admin and quorum authentication – supported remotely over LAN/WAN, no physical access is needed


  • FIPS 140-2 validated
  • Common Criteria (in process)

Performance Specifications

  • Cryptographically isolated partitions: up to 100,000,000
  • Maximum total endpoints for all tenants commutatively: up to 250,000,000
  • Keys: Virtually unlimited, bound by disk space only
  • Simultaneous connected hosts: up to 20,000
  • Capacity in transactions per second (TPS) for sample configurations:
Basic KEY CONTROL Unit Sample ‘S’ Cluster Sample ‘M’ Cluster Sample ‘L’ Cluster
1 pair of servers,
1 core per server
2 pair of servers,
1 core per server
2 pairs of servers,
1 core per server
16 pairs of servers,
1 core per server
RSA-2048 150 300 600 2400
ECDSA P256 70 140 280 1120
AES 256 GCM 15 30 60 240
ECDH p256 210 420 840 3360

Capacity is derived from the number of CPU cores in the UKC cluster. Scaling the Basic UKC Unit is done by scaling up or scaling out, and is fully linear, as illustrated in the sample clusters above

Protect and Manage Security Keys with Unbound Key Control


Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.

( Download )


Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.

( Watch )


Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.

( Download )


Learn more about how two major banks are using Unbound to reinvent data reinvent data protection in the Digital Banking age.

( Watch )