Thales banner

PKI Security: Encryption Key Management & Authentication

Public key infrastructures (PKIs) are relied upon to secure a broad range of digital applications, validating everything from transactions and identities to supply chains. However, infrastructure vulnerabilities represent a significant risk to the organizations that rely on PKI alone to safeguard digital applications.

Thales offers PKI encryption key management solutions to help you protect the keys at the heart of PKI as well as PKI-based authentication tokens that leverage the security benefits offered by PKI to deliver dependable identity protection. These solutions are available on premises, or as a service in the cloud.

  • Protecting PKI Keys
  • PKI Authentication

PKI Key and Certificate Security

Secure storage and protection of private keys is integral to the security of the Asymmetric Key Cryptography used in a PKI. If a Certificate Authority's (CA's) root key is compromised, the credibility of financial transactions, business processes, and intricate access control systems is adversely affected.

Therefore, in a PKI environment – particularly one integral to business processes, financial transactions, or access controls – it is essential that private keys be guarded with the highest level of security possible via a dedicated security device -- a hardware security module (HSM). Thales provides these solutions on-premises with the marketing leading Thales Luna HSMs, and as a service in the cloud with its groundbreaking Thales Data Protection On Demand - a cloud-based HSM.


HSMs for PKI Encryption Key Management

Organizations deploy Thales's HSMs, which work in conjunction with a host CA server to provide a secure hardware storage location for the CA's root key or subordinate CAs' private keys. It is separately managed and stored outside of the operating system software, thus preventing theft, tampering, and access to the secret key material.

Thales HSM Highlights:

  • FIPS 140-2 validation
  • Hardware-secured key generation, storage, and backup
  • Hardware-secured digital signing
  • PKI-authenticated software updates
  • Host-independent, two-factor authentication
  • Enforced operational roles
Explore Thales MobilePKI solutions


"Security is so important to our clients. We needed a solution that would provide the level of trust our customers were demanding. Thales solutions not only provided the security we were looking for but did so in a way that won't hinder the development and expansion of our business. Our overall experience was very positive."

- Maxim Shelemekh, Head of IT Risk and Control at ProminvestBank

Read the Case Study


Learn more about HSMs

PKI Authentication Solutions

Thales offers hardware-based PKI authentication solutions that provide optimal levels of security. Our wide portfolio of Thales smart cards and USB tokens leverage public key infrastructure to provide certificate-based strong authentication.

This ensures two-factors of authentication by leveraging the hardware card or token for something you have, combined with a user selected PIN for something you know to provide two factors of authentication.


Realizing the need for strong PKI authentication

With proper security controls in place to verify the identity of the user before smart card issuance and certificate provisioning, you can be assured that only the legitimate user is the one accessing the corporate network and sensitive data.

Once a certificate-based identity solution has been deployed, there are several additional security features that can be added, including file encryption, email encryption and digital signature.

For more information, download our Identity and Authentication PKI Portfolio Brochure.

Learn about Thales PKI smart cards

Learn about Thales PKI USB tokens


61% of workers report working outside the office at least part of the time and using 3+ personal devices for work activities.


Risk Management Strategies for Digital Processes - White Paper

Risk Management Strategies for Digital Processes with HSMs - White Paper

An Anchor of Trust in a Digital World Business and governmental entities recognize their growing exposure to, and the potential ramifications of, information incidents, such as: Failed regulatory audits Fines Litigation Breach notification costs Market set-backs Brand...


Partner Spotlight: Microsoft Active Directory Certificate Services

In the deployment of a Microsoft Active Directory Certificate Services, the co-deployment of an HSM is highly recommended to protect the CA root keys and maintain the integrity of the resultant PKI, certificates, and PKI dependent applications. Thales Hardware Security Modules complement and enhance Microsoft Active Directory Certificate Services.

Frasier Health implements Thales smart card solution