Thales background banner

PKI Security: Encryption Key Management & Authentication


Public-Key-Infrastrukturen (PKI) schützen digitale Anwendungen unterschiedlichster Art und validieren alles – von Transaktionen über Benutzeridentitäten bis hin zu Lieferketten. Schwachstellen in einer solchen Infrastruktur stellen daher ein beträchtliches Risiko für Unternehmen dar, die sich auf ihre PKI verlassen, um digitale Anwendungen zu schützen.

Für einen zuverlässigen Identitätsschutz hat Gemalto eine Reihe von Sicherheitslösungen zum PKI-Key-Management im Angebot, mit denen Sie die Verschlüsselungs-Keys in der PKI-Umgebung sowie PKI-basierte Authentifizierungs-Token schützen können. Diese Lösungen sind für die Nutzung vor Ort oder als Service in der Cloud verfügbar.

  • Protecting PKI Keys
  • PKI Authentication

PKI Key and Certificate Security

Secure storage and protection of private keys is integral to the security of the Asymmetric Key Cryptography used in a PKI. If a Certificate Authority's (CA's) root key is compromised, the credibility of financial transactions, business processes, and intricate access control systems is adversely affected.

Therefore, in a PKI environment – particularly one integral to business processes, financial transactions, or access controls – it is essential that private keys be guarded with the highest level of security possible via a dedicated security device -- a hardware security module (HSM). Thales provides these solutions on-premises with the marketing leading Thales Luna HSMs, and as a service in the cloud with its groundbreaking Thales Data Protection On Demand - a cloud-based HSM.


HSMs for PKI Encryption Key Management

Organizations deploy Thales's HSMs, which work in conjunction with a host CA server to provide a secure hardware storage location for the CA's root key or subordinate CAs' private keys. It is separately managed and stored outside of the operating system software, thus preventing theft, tampering, and access to the secret key material.

Thales HSM Highlights:

  • FIPS 140-2 validation
  • Hardware-secured key generation, storage, and backup
  • Hardware-secured digital signing
  • PKI-authenticated software updates
  • Host-independent, two-factor authentication
  • Enforced operational roles
Explore Thales MobilePKI solutions


"Security is so important to our clients. We needed a solution that would provide the level of trust our customers were demanding. Thales solutions not only provided the security we were looking for but did so in a way that won't hinder the development and expansion of our business. Our overall experience was very positive."

- Maxim Shelemekh, Head of IT Risk and Control at ProminvestBank

Read the Case Study


Learn more about HSMs

PKI Authentication Solutions

Thales offers hardware-based PKI authentication solutions that provide optimal levels of security. Our wide portfolio of Thales smart cards and USB tokens leverage public key infrastructure to provide certificate-based strong authentication.

This ensures two-factors of authentication by leveraging the hardware card or token for something you have, combined with a user selected PIN for something you know to provide two factors of authentication.


Realizing the need for strong PKI authentication

With proper security controls in place to verify the identity of the user before smart card issuance and certificate provisioning, you can be assured that only the legitimate user is the one accessing the corporate network and sensitive data.

Once a certificate-based identity solution has been deployed, there are several additional security features that can be added, including file encryption, email encryption and digital signature.

For more information, download our Identity and Authentication PKI Portfolio Brochure.

Learn about Thales PKI smart cards

Learn about Thales PKI USB tokens


61% of workers report working outside the office at least part of the time and using 3+ personal devices for work activities.


Risk Management Strategies for Digital Processes - White Paper

Risk Management Strategies for Digital Processes with HSMs - White Paper

An Anchor of Trust in a Digital World Business and governmental entities recognize their growing exposure to, and the potential ramifications of, information incidents, such as: Failed regulatory audits Fines Litigation Breach notification costs Market set-backs Brand...


Partner im Spotlight: Microsoft Active Directory Certificate Services

Bei der Bereitstellung von Microsoft Active Directory Certificate Services empfiehlt sich die gleichzeitige Integration eines Hardware-Sicherheitsmoduls, das die Root-Keys der Zertifizierungsstelle schützt und die Integrität der daraus resultierenden PKI-Zertifikate sowie der PKI-abhängigen Anwendungen wahrt. SafeNet-Hardware-Sicherheitsmodule ergänzen und optimieren die Microsoft Active Directory Certificate Services.

Frasier Health implements Thales smart card solution