Advanced Encryption Key Management

Effective key management is essential for any encryption system. PKWARE's data security platform facilitates organizational control over encryption keys and encrypted data, even in the most complex environments.

Supported key types

Organizations can use PKWARE to protect data with a variety of symmetric and asymmetric encryption key formats:


PKWARE's Smartkey technology links encryption keys with user identities, enabling organization to maintain greater control over encrypted data inside and outside the company network. With Smartkeys, administrators can grant and revoke access to encrypted data at any time, without the need to re-encrypt the data.

Smartkeys use the strongest, most widely-accepted encryption algorithms available to encrypt sensitive data. They can be used to encrypt and decrypt data on user devices, file servers, and other locations, including cloud storage services. Learn more about Smartkeys


Organizations can enable passphrase-based (symmetric key) encryption, and choose whether to use system-generated passphrases or user-created passphrases, based on company policy.

X.509 certificates

PKWARE can sign, encrypt, and decrypt files using X.509 certificates, the most widely used key format for public key infrastructure (asymmetric encryption). Certificates can be stored on local devices or in LDAP-compliant certificate stores, and accessed by PKWARE as needed.

OpenPGP certificates

OpenPGP uses the same basic public key infrastructure principles as X.509 certificates, but uses a decentralized "web of trust" method of authenticating signatures. PKWARE extracts and decrypts files that comply with the OpenPGP standard, and can also create OpenPGP files and apply digital signatures.

Both Passphrases And Certificates

PKWARE also provides the ability to encrypt data using certificates and passphrases at the same time. This approach allows data to be decrypted by anyone who has the passphrase or is on the certificate recipient list.

No matter which approach your organization uses, PKWARE automatically encrypts and decrypts files based on organizational policy, simplifying the user experience while ensuring that sensitive data remains protected against inappropriate use.

Hold Your Own Key (HYOK) capabilities

As organizations shift more of their data and business processes to the cloud, data protection and key management become more complex. Encryption solutions offered by cloud service providers typically leave keys in the hands of the service providers themselves. While this may be acceptable for some use cases, many organizations need to maintain full control over their encryption keys to comply with contractual requirements, regulatory mandates, or internal policies.

With PKWARE, organizations can implement a Hold Your Own Key (HYOK) approach for encrypting highly sensitive data, maintaining complete control over access to encrypted files, even when files are stored in the cloud.

The benefits of HYOK

Cloud-based encryption—in which the cloud provider generates and/or manages the keys—may be sufficient for certain data types, but will not satisfy requirements that call for organizations to prove that they control physical access to their encryption keys.

With HYOK encryption, data is encrypted by PKWARE before being saved in the cloud, using a key stored in a hardware security module or other company-controlled location. Once in the cloud, the data remains opaque to cloud services, and cannot be decrypted by anyone to whom the organization has not granted access to the key (including PKWARE).

PKWARE's HYOK encryption can be implemented side-by-side with cloud encryption to ensure full compliance with organizational policies. Data that is appropriate for cloud-based use can be protected via one workflow, while data that requires maximum security can be automatically routed to a separate workflow for HYOK encryption.

Contingency keys

PKWARE's contingency key feature enables an organization to decrypt files encrypted by anyone in the organization, whether the files were passphrase-encrypted or were encrypted for specific recipients.

Contingency keys are third-party OpenPGP or X.509 formatted public keys that will be automatically included in every encryption operation performed by PKWARE. These can be keys that you generate outside of the PKWARE ecosystem in accordance with your organization's security policy.

Whether the files are password-encrypted or encrypted for specific recipient public keys, contingency keys provide a safeguard to be sure that important information belonging to the organization does not become permanently inaccessible.