Staff augmentation for centralized key management and key custodian responsibilities

Key Exchange Escrow Service - KEES

Available as: As a service

Your dedicated personnel for centralized key management and key custodian responsibilities

a man holding a digital key
  • Harness the possibilities of a private cloud-based infrastructure.
  • Focus your team on your core business and use KEES as Augmentation for key management responsibilities.
  • Rely on qualified experts that are 100% dedicated to key management.
  • Create, rotate and/or distribute keys in days, not weeks.
  • Reduce scope and outsource the burden of PCI compliance to subject matter experts.
  • Dedicated and/or shared models w/ high availability. Can provide turnkey solution or discreet operations validation/ verification, tokenization, key rotation, injection, etc.

Utimaco's KEES delivers trained staff, highly available access, and trusted cryptographic key management services for a variety of payment and general-purpose business applications. 

Key Benefits

Key Benefits



KEES datacenters are operated in accordance with the highest financial and cybersecurity security standards to include PCI DSS, PCI PIN and PCI P2PE and SOC2 as well as ISO 27001, ISO 9001, ISO 14001 standards.



KEES infrastructure delivers reliable and highly available service from geo-redundant data centers to ensure customers have access 24x7x365. 



KEES Key Management as a Service satisfies multiple use cases to include disaster recovery storage, key generation and migration, POS remote key distribution, public cloud trust and IoT platform provisioning.



Key Exchange and Key Escrow Services (KEES)

Key Management Lifecycle

The Key Exchange and Escrow Service supports a variety of practical use cases, all underpinned with Utimaco’s core trust service full key lifecycle management (LCM).

Key management lifecycle


Key Escrow

Whether functioning for disaster recovery or legally mandated escrow requirements, any key that has been or is currently used for production purposes must be protected with the same security requirements as a production environment. Most organizations struggle to effectively maintain a full production key inventory, let alone have any degree of confidence in disaster recovery scenarios, that usually remain un-tested. The KEES Service offers a full or partial key inventory escrow capability, fully protected under AES 256 Bit encryption.

Independent of disaster recovery considerations, maintaining a key escrow ensures that an organization is in control of its own keys, without being held captive by any specific manufacturer or technology. Further, by leveraging a key escrow service, an organization can migrate keys to new wrapping formats such as TR-31, without interrupting production systems.

Key Management as a Service 

With the expansion of encryption requirements for any enterprise today, the necessity to maintain a centralized key management utility or team is more vital than ever before. Still, many organizations struggle to find and dedicate full time subject matter experts and technologies to manage this growing requirement. The KEES key exchange service closes this gap.

By utilizing the KEES Key Management as a Service offering, organizations benefit from our full-time and dedicated staff subject matter expertise for the purposes of key generation, key distribution, key rotation, key escrow, and compliance scope reduction.

HSM as a Service 

While most organization’s technical infrastructure is migrating to cloud-based services, HSM technology does not lend itself to this strategy quite so easily. The primary purpose of HSM technology is to ensure that cryptographic keys remain protected, not only in storage, but also while in use. Virtual solutions are software by definition, but HSMs are required to be hardware. Moreover, most HSM technology leverages proprietary APIs and rely on externally protected key stores.

The KEES platform is the ideal bridge between hardware requirements and the quest for virtual HSM technology. By leveraging cryptographically segregated relationship structures, the KEES platform extends a simple JSON schema RESTful API for remote access to a dedicated clients protected key store. Connections are supported over TLS 1.2. From there, the KEES platform translates the inbound RESTful API to many different proprietary APIs for various HSM manufacturers including Thales, SafeNet, and Atalla AT1000.

HSM as a Service eliminates the requirements of hardware management, offers dramatic compliance scope reduction, and utilizes full-time staff professionals to perform sensitive key management functions.

POS Remote Key Distribution  

As local PED key injection and management complexity and the cost of PCI compliance continues to rise, UTIMACO’ KEES™ infrastructure and service can host PCI key generation and distribution services to reduce the total cost of ownership (TCO) associated with operating a centralized key injection facility (KIF). As clear key injection sunsets, PED manufacturers can now support remote key loading (RKL) over a network which will reduce PED logistics support costs and open the market to hosted PED key management and distribution services.

IoT Platform Provisioning as a Service 

As system, device and component level security risks continue to rise in this digitally connected world, the need to securely provision cryptographic content is on the rise. A prominent example is in the automotive industry where connected vehicles must be manufacturing with digital trust and assurance. However, many IoT companies do not have the expertise to design systems, devices or components nor adapt their manufacturing activities to support the provisioning of cryptographic content. UTIMACO’s KEES™ service can interface with your manufacturing and assembly operations to generate and deliver cryptographic content from a compliant infrastructure using standards adapted from the financial services sector. 

Small, medium, and large businesses will all migrate to the public cloud infrastructure and services (e.g., AWS, Google, Salesforce, etc.) to deliver better experiences to their enterprise and customers.  Some will want to maintain a level of independence from the public providers and deploy a hybrid-cloud model. KEES enables that cloud journey and flexibility by offering interoperable support for the major public cloud providers whether its BYOK or full life cycle management. 

Key generation, off-premise disaster recovery storage, hosted PED remote key distribution service

  • Generate
  • Export  
  • Store
  • Remotely distribute
  • Audit
  • FIPS 140-2 L3 HSM
  • Data center geo-redundancy
  • Trained key custodians
  • PCI PIN compliant
  • KMaaS
  • Customer key custody

As a service

Our as-a-service options are hosted by UTIMACO in certified datacenters and include everything from set-up to deployment to maintenance.


Fully managed Payment HSM service with secure and highly available host connections to two of the world’s leading HSMs manufacturers – Utimaco Atalla AT1000 and Thales payShield 10K.

Find more details

Contact us

We look forward to answering your questions.

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      Your collection of download requests is empty. Visit our Downloads section and select from resources such as data sheets, white papers, webinar recordings and much more.