Unbound Key Control

All-in-One Software Solution

A powerful combination of key management and virtual HSM, at the highest level of security


Deployment options
Technical Specifications

Unbound Key Control

With Unbound Key Control you can, for the first time, control, manage, and protect secrets across any distributed infrastructure from a single pane of glass.



Full lifecycle key management

Manage any key, anywhere: on-premises and private/public cloud

Central management of keys and certificates

Hardware Security Module (Virtual HSM)


Hardware-level security

Supports all standard crypto APIs

Supports all standard keys and algorithms

Stretching the Boundaries of Traditional Key Protection

Unbound Key Control (UKC) ensures that your most sensitive keys never exist in the clear at any point in their lifecycle – not even when generated, while in use or while at rest. With Unbound’s virtual HSM technology, key material is never whole – not in memory, disk or network.

By eliminating this single point of compromise, UKC can stretch the secure boundary far beyond the traditional physical casing.

( Learn How )

No More Silos - One System to Manage Them All

Unbound’s combined virtual HSM and Key Management solution provides full key lifecycle management from generation, to usage, revocation, rotation, and backup. It supports all standard HSM crypto APIs and enables seamless integration with all KM systems. This pure software solution protects and manages all keys from all on-premises or cloud workloads and from any cloud service provider (CSP). Use Unbound Key Control to manage and sync all your keys across sites and workloads through one central management system.

Empower the needs of SecOps in
in Any Organization

Unbound Key Control empowers the SecOps team with a fully-outfitted infrastructure for highly efficient key management and protection. This all-in-one key management plus virtual HSM solution saves SecOps the time and effort of integrating multiple products, by combining every critical feature to the SecOp workflow, including: granular policy enforcement, monitoring and auditing, resource management, administration and configuration of role-based access control, backup and durability.

Elastic and Scalable

Fully elastic and scalable enterprise key management lets you quickly adapt to meet your changing needs. Stay up to date and running the latest crypto, with update cycles measured in days.

Transparent and Seamless Integration

Completely transparent and easily deployed without disrupting the existing workflow of applications. Support all industry standard HSM and Key Management APIs, as well as all standard crypto algorithms.

Easy Operation and Automation

With CLI and REST APIs included, you can fully automate system installation, deployment, ongoing operation, and management, saving you and your team from spending precious time on labor-intensive tasks.

Future-ready and Agile Cryptography

Unbound Key Control is future-ready, so your cryptography infrastructure can be too.
With crypto vulnerabilities uncovered regularly and the emergence of Quantum Computing, Blockchain, changes in crypto are happening faster than ever. Unbound provides a crypto-agile system that ensures you will be up and running the latest crypto, with update cycles measured in days to weeks, not months or years.

Secured Management and Administration

Unbound Key Control allows you to customize granular admin authorization and access management policies in multiple ways. For example, you can define a minimum number of admins who must work in unison on high-security operations. Or add another layer of access security at the application level, in addition to server authorization.

Context-Based Auditing

Get the full details of every decrypt or signing operation in real time whenever a key is used. Receive detailed logs that include: operation type, date and time, the servers from which the request was made, and the authorizing users. The logs can be exported to third-party tools, such as SIEM.

Architecture - Non-continuous Secure Boundary

Unbound Key Control (UKC) is comprised of one or more pairs of standard servers that are installed and managed by the customer. Each of these pairs is comprised of an Entry Point node and a Partner node that each hold one share of a key. Together, these servers form the secure boundary of UKC. Application servers within the network connect to the entry point for consuming cryptographic services for the keys that are managed within UKC.

Architecture - Non-continuous Secure Boundary

The UKC Secure Boundary adds a newly created dimension to security architectures, creating endless options for separation of the UKC nodes such as:

Separate locations/entities, e.g. networks, geographical locations, cloud availability zones etc.

Separate credentials and access controls

Separate software stacks (e.g. different operating systems)

Key Management for Cloud,
On-premises and Hybrid Environments

Based on the first technology to truly abstract key management, Unbound Key Control (UKC) can be deployed on any standard platform, including physical/virtual machines and containers. This gives you the flexibility to choose the location of the nodes of the UKC and to create a deployment that meets your unique requirements.

Key Management for Cloud

Transparent Integration & Automation of the Key Management Infrastructure

Unbound Key Control can be deployed easily without disrupting the existing workflow of applications.

Supports full key lifecycle management

Fully transparent to the calling application and supports all crypto APIs

Allow full automation using CLI and REST APIs

Operating Systems and Platforms

  • Windows, Linux
  • Any standard virtual/physical machine
  • Cloud IaaS: All cloud service providers including AWS, Azure, Google Cloud Platform, SoftLayer
  • PaaS and Containers: Docker, Kuberentes, Pivotal Cloud Foundry

API Support

  • PKCS #11, Java (JCE) Microsoft CNG, OpenSSL, REST
  • KMIP server providing KMIP services to any KMIP client up to KMIP 1.3 inclusive


  • Full Suite B support
  • Asymmetric: RSA (2048, 3072, 4096), Elliptic Curve Cryptography with P256 | P384 | P521 curves
  • Symmetric: AES (key sizes: 128, 256; modes: SIV, XTS, ECB, CBC, OFB, CFB, CTR, CCM, GCM, NIST_WRAP, CMAC, GMAC), Triple DES (modes: ECB, CBC, OFB, CFB, CTR)
  • Hash/HMAC: SHA-256, SHA-384
  • Generic secret management
  • Additional modules: Application level encryption (OPE/FPE/Tokenization), password verification, Post Quantum Crypto (PQC), cryptocurrency and blockchain

Host Authentication

  • Server-level authentication: using a client certificate, mutually authenticated TLS 1.2
  • Application-level authentication (optional): SAML authentication scheme, Active Directory

High Availability

  • Active/Active and Active/Passive modes (with external load balancer)
  • Automated load balancing by UKC client

Management and administration

  • Browser-based admin console
  • Command line interface (CLI)
  • Comprehensive management REST API
  • Full backup and restore functionality, no additional devices required
  • Highly-configurable role based access control (RBAC) model
  • Multi-admin and quorum authentication – supported remotely over LAN/WAN, no physical access is needed

Performance Specifications

  • Cryptographically isolated partitions: up to 100,000,000
  • Maximum total endpoints for all tenants commutatively: up to 250,000,000
  • Keys: Virtually unlimited, bound by disk space only
  • Simultaneous connected hosts: up to 20,000
  • Capacity in transactions per second (TPS) for sample configurations:
Basic Unit Sample ‘S’ Cluster Sample ‘M’ Cluster Sample ‘L’ Cluster
1 pair of servers,
1 core per server
1 pair of servers,
2 cores per server
2 pairs of servers,
4 cores per server
4 pairs of servers,
8 cores per server
RSA-2048 100 200 800 3200
ECIES P256 100 200 800 3200
AES-GCM 128 single block 200 400 1600 6400

Capacity is derived from the number of CPU cores in the UKC cluster. Scaling the Basic UKC Unit is done by scaling up or scaling out, and is fully linear, as illustrated in the sample clusters above


  • Apache HTTP Server
  • Java Applications
  • Stiftung Secure Information and Communication Technologies (SIC) IAIK Provider for Java™ Cryptography Extension (IAIK-JCE)
  • OpenSSL
  • OpenSSL Toolkit
  • Oracle Database
  • Oracle TDE (Transparent Database Encryption)
  • Oracle WebLogic Server
  • Ping Identity PingFederate v6.4
  • Ping Identity PingFederate v7.2.1
  • Brocade BES (Brocade Encryption Switch), Brocade FS8-18 Encryption Blade
  • CipherCloud Cloud Encryption Gateway
  • IBM B2B Integrator
  • IBM DataPower Gateway
  • IBM DB2
  • IBM HTTP Server/Websphere Application Server
  • IBM SoftLayer
  • IBM WebSphere Application Server
  • IBM A9000/A9000R
  • IBM QRadar
  • IBM Security Access Manager (ISAM) for Web
  • IBM TAM eBusiness
  • HashiCorp Vault
  • Quantum Scalar (i6000, i500, i40/80)
  • Teradata Database
  • VMware vSAN
  • VMware vSphere VM Encryption
  • Microsoft Active Directory Certificate Services
  • Microsoft Internet Information Services (IIS) for Windows Server 2012/2008 R2
  • Microsoft SQL Server 2008/2012
  • Microsoft ADCS (Automated Data Capture System) for Windows Server 2016/2012/2008 R2
  • Microsoft OCSP (Online Certificate Status Protocol) for Windows Server 2016/2012/2008 R2
  • Microsoft HGS (Host Guardian Service) and SVM (Shielded Virtual Machine)
  • Microsoft SQL Server 2016 Always Encrypted
  • Microsoft Windows Server NDES (Network Device Enrolment Service)
  • Microsoft Authenticode for Windows Server 2008 R2

Protect and Manage Security Keys with Unbound Key Control

MPC Primer

Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.

( Download )

How to Go Beyond BYOK with CYOK

Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.

( Watch )

Unbound Key Control

Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.

( Download )

Securing Data in Multi-Cloud Environments

Learn more about how two major banks are using Unbound to reinvent data reinvent data protection in the Digital Banking age.

( Watch )