Engage logo 990000 rev 2.000

  • Home
  • Solutions
  • Key Management

    Key Management Solutions that…


Generate, distribute, store, rotate and revoke crypto keys
     Protect the crypto key lifecycle and meet compliance objectives
     Integrate Hardware Security Module (HSM) functionality
     Provide multi-factor and quorum authentication
     Offer innovative and intuitive management and control

   Got Quorum?

Key Management

The growing threat landscape, with almost daily reports of data theft and security breeches, is driving the need for data encryption. More encryption means more cryptographic keys. However, when keys are compromised, encryption is no longer effective. Unfortunately, proper key security is often lacking.

Many organizations still store keys in software—a poor choice as hacks capture both data and the keys used to encrypt that data. The result is exposure of critical data harmful to both your organization and customers.

Keys should be stored in a separate hardware device. USB tokens and Smart cards are often used, but with the growing number of keys, it’s difficult to track them, monitor who has possession, or determine if they have been lost or stolen.



Hardware Security Modules (HSMs) ensure keys are secure and confidential, limiting access to only those who need it. Unencrypted keys never exist outside the HSM and all key related operations occur inside the HSM. They also provide physical and logical barriers to attack and tampering; unavailable to USB tokens, smart cards, or software.

Engage BlackVault is a cryptographic appliance with a built-in FIPS Level 3 Hardware Security Module (HSM). It supports the complete key management life cycle and is available as a Code / Document Signing appliance, Certificate Authority (CA), or fully featured HSM. BlackVault makes meeting key management best practices straight forward, secure, and affordable.

Key Management with the BlackVault

The BlackVault platform provides maximum protection for cryptographic keys. It’s FIPS 140-2 Level 3 tamper reactive, silicon based, cryptographic boundary ensures keys and other cryptographic material cannot be compromised. An attempt to defeat the BlackVault’s physical, environmental, and electronic protection mechanisms causes keys to be deleted (zeroized).

The BlackVault platform also has a unique single trust path authentication mechanism. Two factor authentication is determined directly at the BlackVault by inserting a smart card into the smart card reader and entering your PIN on its touch screen display. This prevents compromised third party devices from gaining access to the BlackVault platform.

An "M of N" quorum can also be established for Crypto Officer, User, and Key Backup / Restore authentication. In this case, a minimum of "M" personnel (smart cards / PINs) must be present to authorize an action by the BlackVault. For example, a new code release cannot be digitally signed unless Engineering, QA and Product Management “sign-off” on the release.

The BlackVault platform includes both USB and Ethernet ports for on-line as well as off-line (air-gapped) applications. The USB port is also used for off-line file transfer and key backup. Backups are encrypted and the backup encryption key can be distributed across multiple smart cards. The Ethernet port is a secure TLS connection.

Compact and portable, with a battery life measured in decades, the BlackVault is easily transported and stored in a safe or other secure location.

With a menu driven touch screen display, and built-in applications, the BlackVault achieves a new level of simplicity and ease-of-use for what has traditionally been very complex functions.

BlackVault Photo w SC

Behind the scenes, the BlackVault platform supports the most advanced cryptographic algorithms and popular cryptographic APIs.


Technology Comparison

    Capability BlackVault Software USB Token Smart Card
    Key Generation in Hardware Yes No Often No Often No
    Hardware is Tamper Reactive Yes No No No
    Safe Key Backup Yes No No No  
    Integrated Applications Yes Yes No No
    Multifactor Authentication Yes No No No
    Quorum Authorization Yes No No No
    Single Trust Path Support Yes No No No
    Networked and Off-line Yes No No No



BlackVault HSM

–► Learn More


BlackVault CA

–► Learn More


BlackVault CYNR

–► Learn More



–► Engage Black News

–► BlackVault HSM Safeguards Consumer Appliance and IoT Device Identities
–► BlackVault Certificate Authority Adds Support for New Standard
–►  BlackVault CYNR Revolutionizes Secure Code and App Signing
–► Engage Black Introduces BlackVault CA Security Appliance
–► Engage Black Introduces BlackVault CYNR, Code and Document Signing Appliance

More about the BlackVault and Key Management

–► BlackVault

Eclipse Logo

 –►  Eclipse  

Java Logo

 –► Java (Jar) 





Engage logo 990000 rev 2.000
9565 Soquel Drive Dr,
Aptos Ca 95003
Telephone: 1-831-688-1021
Toll Free : 1-877-ENGAGE4
Fax: 1-831-688-1421
© 1989-2017 Engage Inc.
Designed, Fabricated, and Assembled
in America icon
Supported Worldwide