Crypto Key Management System (CKMS)
Overview
CKMS is an on-premises key management system that provides centralised lifecycle management for encryption keys across enterprise applications, cloud environments, and mainframe platforms. First deployed in 1998, CKMS manages the full lifecycle of both symmetric and asymmetric keys, enforces role-based access controls, and provides the audit trails required to demonstrate compliance with regulatory and industry standards including PCI DSS.
Unsung implements CKMS for UK customers in banking, government, and enterprise environments where centralised control of cryptographic keys is required for regulatory compliance, operational security, and audit readiness.
The Challenge
As organisations deploy encryption across an increasing number of applications, databases, cloud services, and infrastructure components, the volume of cryptographic keys they must manage grows significantly. Without centralised key management, keys are created, stored, and rotated in isolation by individual applications and teams, creating fragmented processes with unclear ownership, inconsistent policies, and difficulty demonstrating compliance to auditors.
Manual, decentralised key management is costly and error-prone. Keys may not be rotated according to policy, retired keys may not be properly destroyed, and there is often no single view of the organisation’s cryptographic estate. In regulated sectors such as financial services, organisations must demonstrate that key management meets specific standards — a requirement that becomes increasingly difficult as key volumes and application diversity grow.
What It Does
CKMS addresses these challenges by providing a centralised platform that manages the entire lifecycle of cryptographic keys — generation, distribution, rotation, archival, and destruction — across all applications and environments from a single point of control. The system enforces defined roles and responsibilities for key management operations, automates key updates and distribution, and maintains comprehensive audit logs for compliance reporting.
The platform supports Bring Your Own Key (BYOK) capabilities for multi-cloud environments, enabling organisations to maintain control of their encryption keys when using cloud services from multiple providers. CKMS integrates with HSMs for hardware-backed key protection and connects to a broad range of enterprise applications, databases, and mainframe systems. It addresses over 50 common cryptographic use cases including data encryption, tokenisation, transaction authorisation, and code signing.
How Unsung Helps
Unsung helps clients assess their key management requirements, design centralised key management architectures, and implement CKMS integrated with their existing HSM infrastructure and application landscape. Our Hardware Security Modules service ensures the underlying cryptographic hardware is properly deployed and integrated with the key management platform.
Related Unsung Services
Hardware Security Modules — HSM deployment and integration for key protection infrastructure.
PKI Consultancy — Independent advisory on cryptographic infrastructure and key management strategy.
PKI Design & Build — Design and implementation of cryptographic architectures and trust frameworks.
