Atalla (HPE) Enterprise Secure Key Manager (ESKM)

Atalla (HPE) — Enterprise Secure Key Manager (ESKM)

Common Models / Form Factors

  • ESKM L2 / L3 / L4 1U appliances (KMIP-based key manager). L3/L4 variants embed a Utimaco GP HSM for higher assurance. utimaco.com
  • Earlier appliances/software versions include ESKM 3.x–5.x; KMIP 1.0–1.3 support is documented.

FIPS Status

  • ESKM 3.0/3.1 module validated to FIPS 140-2 (Security Policy details Level 2 operation). NIST Computer Security Resource Center
  • ESKM L3 / L4 appliances: marketed with FIPS 140-2 Level 3 / Level 4 security via the embedded Utimaco HSM. (We deploy in FIPS-approved configurations and document settings for audits.) utimaco.com+1

PQC (Post-Quantum) Support

  • Role of ESKM: a key manager (not a signing/KEM engine). Native PQC algorithms run in apps/HSMs, while ESKM provides custody, KMIP object lifecycle, access policy, and audit.
  • Our approach: integrate PQC libraries/HSMs (for ML-KEM / ML-DSA) with ESKM as the authoritative KMIP server—enabling dual-stack (classical + PQC) rollouts and policy-controlled distribution/rotation of PQC key material.

Dual Private-Key Format Support (Seed vs Expanded)

  • Context: PQC introduces compact seeds (~tens of bytes) and expanded private keys (~1.6–4 KB). Standards work is moving toward seed-centric PKCS#12 profiles.
  • What we implement with ESKM:
    • Seed custody as KMIP objects: Store seeds as high-assurance, access-controlled KMIP objects; gate unwrap/export under dual control/split knowledge.
    • Deterministic re-derivation downstream: Applications/HSMs derive expanded keys inside their trust boundary from ESKM-managed seeds; ESKM maintains provenance, labels, and rotation schedules.
    • Expanded-key handling: Where required, manage expanded private keys as KMIP objects with wrapping, archival, and policy enforcement—documented for FIPS-approved modes on L3/L4 appliances. utimaco.com
    • Backup & portability: ESKM cluster backup with digitally signed audit logs; runbooks to migrate from legacy PFX to seed-centric custody as seed-only PKCS#12 profiles finalize. Secure Technology Alliance

How SafeCipher Helps (Procure • Deploy • Support)

  • Procurement & contracts: Sizing, quotes, spares/RMA, co-termed renewals; guidance on L2 vs L3 vs L4 selection and lifecycle (including legacy ESKM estates). utimaco.com
  • Deployment & integration: HA clustering, KMIP client onboarding (tape libraries, arrays, databases, NonStop, backup platforms), policy/rbac design, and performance tuning. HPE Support+2HPE Support+2
  • Operations: 24×7/BH support options, firmware/config governance, signed-log audit packs, key rotation/escrow procedures, and crypto-agility playbooks for PQC adoption. Secure Technology Alliance
  • Migrations: Legacy ESKM → current L3/L4 appliances, vendor-to-vendor KMS moves via KMIP, and classical→PQC dual-stack transitions with provenance-preserving re-wraps.

Bottom line

Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor.