CipherTrust Manager

CipherTrust Manager offers the industry leading enterprise key management solution enabling organizations to centrally manage encryption keys, provide granular access control and configure security policies. CipherTrust Manager is the central management point for the CipherTrust Data Security Platform. It manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role-based access control to keys and policies, supports robust auditing and reporting, and offers developer friendly REST API.

CipherTrust Manager is available in both virtual and physical form-factors that integrate with FIPS 140-2 validated Thales TCT Luna T-Series and third-party Hardware Security Modules (HSMs) for securely storing master keys with highest root of trust. These appliances can be deployed on-premises in physical or virtualized infrastructures and in public cloud environments to efficiently address compliance requirements, regulatory mandates and industry best practices for data security. With a unified management console, it makes it easy to set policies, discover and classify data, and protect sensitive data wherever it resides using the CipherTrust Data Security Platform products.

Cloud-to-Edge Deployment Options

CipherTrust k570 – Enterprise-Level Hardware Platform

CipherTrust k570 is an enterprise-level centralized key management platform that manages cryptographic keys, certificates, applications in a tamper-proof hardware appliance. CipherTrust k570 utilizes an embedded FIPS 140 Level 3 Thales TCT Luna T-Series HSM for securely storing master keys with highest root of trust.

CipherTrust k170v & k470v – Virtual Platform

CipherTrust k170v & k470v are enterprise-level virtual key management platforms that protect cryptographic keys that can be easily adapted to a wide range of cloud & virtual environments.

CipherTrust k160 – SFF Harware Platform for the Edge

CipherTrust k160 is a compact cryptographic key management platform that can be utilized in deployments at the edge. This small form factor (SFF) appliance includes a FIPS 140-2 Level 3 token or a high assurance cryptographic token as its hardware root of trust. The token HSM operates as a secure root of trust by encrypting all sensitive objects (e.g. keys, certificates, etc.) in CipherTrust k160 with keys that are generated by, and reside in, the token HSM.

CipherTrust Cloud Key Manager

Centralized lifecycle management for BYOK, HYOK and cloud native encryption keys


  • Centralized key management for multiple on-premises data stores and cloud infrastructures
  • Reduced risk with unified data discovery, classification and sensitive data protection
  • Simplified management with self-service licensing portal and visibility into licenses in use
  • Cloud friendly deployment options with support for AWS, Azure, Google Cloud, VMware, Oracle Cloud Infrastructure and more
  • Support for superior key control with Thales TCT’s T-Series HSM
  • Unparalleled partner ecosystem of integrations with leading enterprise storage, server, database, application and SaaS vendors

CipherTrust Manager Features & Specifications


Full Key Lifecycle Management and Automated Operations

Simplifies management of encryption keys across their entire lifecycle, including secure key generation, backup/restore, clustering, deactivation, and deletion. It makes automated, policy-driven operations easy to perform, and generates alarms for events of interest.

Unified Management Console

Provides a unified console for discovering and classifying sensitive data integrated with a comprehensive set of CipherTrust Data Protection Connectors to encrypt or tokenize data to reduce risk and satisfy compliance regulations

Centralized Administration and Access Control

Unifies key management operations with role-based access controls and provides full audit log review. Authenticates and authorizes administrators and key users using existing AD and LDAP credentials.

Multi-Tenancy Support

Provides capabilities required to create multiple domains with separation of duties to support large organizations with distributed locations.

Developer Friendly Rest APIS

Offers new REST interfaces in addition to KMIP and NAE-XML APIs, for developers to simplify deployment of applications integrated with key management capabilities and automate testing and development of administrative operations.

Robust Auditing and Reporting

Includes tracking of all key state changes, administrator access, and policy changes in multiple log formats (RFC-5424, CEF, LEEF) for easy integration with SIEM tools.

Root of Trust

CipherTrust Manager can use Thales TCT’s Luna T- Series HSMs as root of trust. Meeting government mandates for U.S. Supply Chain, the high-assurance, tamper-resistant Luna T-Series HSMs are designed, developed, manufactured, sold, and supported in the United States. CipherTrust k160 uses a removable FIPS 140-2 certified token or high assurance token as a root of trust.

Models & Specs

CipherTrust Manager Features

Virtual Appliances

Physical Appliances

Administrative Interfaces

Management Console, REST API, kscfg (system configuration), (ksctl (Command Line Interface)

Network Management

SNMP v1, v2c, v3, NTP, Syslog-TCP


Prometheus, Splunk

API Support


Security Authentication

Local User , AD, LDAPS, Certificate based authentication, Supports Open ID Connect (OIDC)

System Formats


Supported HSMs for Root of Trust

Luna Network HSM, Luna T-Series Network HSM, Luna as a ServiceHSM , Luna Cloud HSM, AWS Cloud HSM, Azure Dedicated HSM, IBM Cloud HSM, IBM Cloud Hyper Protect Crypto Services Cloud HSM

Removable token HSM using either a FIPS 140 Certified Token or High Assurance Token

Embedded FIPS 140 level 3 & CNSS approved Luna T-series HSM or Luna as a Service HSM

Maximum Number  of Keys
Tested up to 1M Keys (more possible with appropriately sized virtual environments)
Tested up to 1M Keys (more possible with appropriately sized virtual environments)
Maximum capacity of 10,000 symmetric keys.
Maximum of 100 keys using concurrent connections.
1 Million Keys
Maximum Domains (multi-tenancy)




FIPS Support

FIPS 140-2 L1

Integrates with an external FIPS Certified Physical or Cloud HSM as Secure Root of Trust
FIPS 140 Certified Token HSM
Embedded Luna T-Series PCIe FIPS 140 Level 3 certified – password and multi-factor (PED)

Appliance Specifications

Physical Appliances



6.5” x 4.0” x 1.5” (165.1mm x 101.6mm x 38.1mm)
19” x 21” x 1.725” (482.6mm x 533.4mm x 43.815mm)
Hard Drive
1x 2TB SATA SE (Spinning Disk)
Atom E3845 Processor SoC
Xeon E3-1275v6 Processor
NIC Support
1x 1GB
4x1GB or 2x10Gb/2x1Gb (NIC Bonding capable)
Rack Mount
Standard 1U shelf mount can be optionally purchased (can house up to two k160s)
Standard 1U rack mountable
Sliding rails can be optionally purchased
External power supply included, locking DC connector
Dual hot swappable power supplies
Safety & Compliance


Mean Time Between Failure
170,869 hours
153,583 hours
Virtual Appliances



System Requirements
  • RAM (GB): 16

  • Hard Disk (GB): 100

  • NICs: 1 or more

  • CPUs: up to 4 CPU max

  • RAM (GB): 16 or more

  • Hard Disk (GB): 200 or more

  • NICs: 2 or more

  • CPUs: 5 or more

Clouds/Hypervisors Supported
  • Public Clouds: AWS Cloud, Microsoft Azure, Google Cloud Enterprise (GCE), Oracle Cloud Infrastructure (OCI)

  • Private Clouds/Hypervisors: VMware vSphere (6.5, 6.7 and 7.0), Microsoft Hyper-V, Nutanix AHV, OpenStack (QCOW2)

  • Hybrid Clouds/Hypervisors: Azure Stack HCI, Azure Stack Hub

  • AWS GovCloud, Azure Government Cloud also supported


CipherTrust Manager k160 Product Brief
CipherTrust Manager k570 Product Brief
CipherTrust Manager Product Brief
Virtual CipherTrust Manager Product Brief