IBM Enterprise Key Management Foundation

The IBM Enterprise Key Management Foundation (EKMF) is based on the IBM 4767 HSM, that achieved FIPS 140-2 level 4 certification. EKMF is a comprehensive key management solution supporting multi clouds and multi keystores with policy based key management services including Bring Your Own Key (BYOK), key and certificate generation, renewal, backup, and recovery. The EKMF solution is well-suited for banks, payment card processors and other businesses that must meet EMV® and payment card industry (PCI) requirements.

Get started with Cloud Key Management

Get the EKMF Workstation

You will need an EKMF workstation which provides the interface for managing your keys.

EKMF Bring Your Own Key Feature

Prepare your keys for a secure transit

The EKMF BYOK feature enables you to prepare your keys for the cloud migration and guides you all the way.

Azure Key Vault

Use your keys in the cloud

Securely save your keys to an Azure Key Vault.

Bring Your Own Key to Microsoft Azure Key Vault

The BYOK feature allows you to securely transfer your keys generated and protected by the IBM HSM to an Azure Key Vault. The graphical user interface and user-friendly wizard provided by EKMF guides you through the steps necessary to prepare your keys for the migration to cloud.  

Prepare your keys with EKMF by following these steps:

1) Follow the Azure guides to create a key vault and generate a RSA key as KEK for the transfer

2) Export the KEK (public part of the RSA key) and bring it to the EKMF workstation

3) Import the KEK into EKMF using a key template for Azure

4) Create your target key and prepare it for transfer using the key generation wizard

5) Extract the generated “byok” file containing the target key from EKMF

6) Import the “byok” file into the Azure Key Vault holding the KEK used

    Do effective work, be guided by the Key Import and Generation wizards

    EKMF key generation wizard

    To prepare your keys for the cloud you will need to import a Key Encryption Key (KEK) generated from your Azure Key Vault. The EKMF BYOK feature provides you with a sample key template for importing this KEK to EKMF. Further, EKMF provides a key import wizard which guides you through the steps for importing the KEK as well as generating and wrapping your target key that you wish to bring to the Azure Key Vault.

    Let’s get in touch

    Are you ready to migrate to the cloud or do you need more information? We are here to answer your questions and guide you on your journey to cloud key management.
    Get in touch with your local IBM team or directly with the Crypto team at