Randtronics Logo

HSM vs software-only Key Management?

Picking the right tool for your encryption job

Why pick? - both have a role in an enterprise key management strategy

The traditional approach to protecting encryption keys and data is to use a Hardware Security Module (HSM). There are many different HSM vendors and models and the core features common to all are the ability to provide encryption and decryption of data/keys and store the master key (a key that never leaves the HSM).

Most organizations need to protect many types of data ranging from credit card data (numeric, 16 digits), personal identifying data (PII), images (x-ray), video (CCTV), through to databases, etc.

Whilst credit card numbers are small in size and suitable for rapid transport and processing inside an HSM, the same is not true for databases and other large data types.

Randtronics DPM is a data security platform for encryption.     It centrally coordinates encryption and key management for applications, file storages and databases to protect sensitive data right across an organization – thus protecting data (and copies) regardless of the size wherever they reside.

Customers using Randtronics DPM tailor key policies to selectively use software-generated keys or HSM generated keys depending on business needs. Randtronics supports a wide range of multivendor HSMs.

Unlike HSM’s that require specialist skills to operate,  Randtronics DPM is designed to simplify and automate all aspects of data privacy administration:

  • maintaining all keys and certificates across their lifecycle based on centrally managed policy
  • no-code change data protection at the file/ folder (transparent data encryption) and database field level (for Oracle and MS SQL)
  • low-code change field-level data protection via Randtronics API for any application and databases – stored anywhere
  • best practice guideline implementation of policy-based key management, policy-based data encryption and spoofing, as well as access control, separation of duties and auditing


Randtronics DPM makes encryption easy;

  • For businesses, that have held-off implementing widespread encryption over concerns of implementation disruption and the challenge of hiring and retaining specialist skills – Randtronics DPM makes encryption easy
  • For businesses seeking to rationalize their encryption protections and close gaps in their attack surface – Randtronics DPM makes it easy to close the gap between piecemeal encryption and effective encryption
Learn more about DPM Enterprise Key Management
Diagram of Key Management Lifecycle: Key Generation, Key Establishment, Key Storage, Key Usage, Key Archival, Key Destruction

Enterprise Key Management

Enterprise Key Management platforms are playing an increasing important role as organization tighten up their data protections, implement more encryption and need to manage more keys (and manage them more effectively):

  • Shift to comprehensive encryption:   legacy approaches to encryption often created island or silo’s of protection with the unfortunate result that some organizations suffered data breach despite encrypting some of their systems;
  • Role separation best practice: data privacy guidelines including the recommendations contained in GDPR and the increasing number of international PDPL frameworks modelled after this approach,  stress the need of role separation.    Many organisations using EKM systems hand control of key administration to a dedicated data privacy team,  with benefits both in terms of reducing the number of technical staff required with deep HSM knowledge and visibly demonstrating to data auditors role separation and maintenance of key change records.
Enterprise Key Management also brings benefits to organizations using Hardware Security Modules:
  • Reduce dependence on specialist skill:  remove day-to-day administration responsibility from the technical team, make more effective use of highly skilled staff and/or mitigate challenges in hiring technical skills to support multiple HSMs (multi-vendor and multi-generation) 
  • Increase economic life of HSM fleet:  Simplify task of rotating in new HSM’s for PCI or other highly sensitive requirements – rotate older HSM for general use complementing software-based keys

Latest news and articles

Goodbye, Tina Turner

Sad news this week that the Queen of Rock ‘n’ Roll has exited the stage. Many of us at the Randtronics team grew up hearing

Read More

Our Customers

Letter from the CEO

Rantronics Logo

Thank you for visiting the Randtronics website.

We make enterprise encryption easy.

Smart businesses already know that only encryption can reduce the attack surface and stop the hackers from stealing their sensitive data. A company that only uses encryption is more secure than a company with all other cyber security measures. Privacy standards such as PCI DSS, HIPAA, and GDPR are all mandating in law the protection of the citizen’s personal data. Fines for breaches are huge. You won’t get fined if your firewall is hacked. You won’t get fined if you suffer a virus or ransomware attack. You WILL get fined if you lose ANY personal data pertaining to ANY citizen. The lowest common denominator is the DATA. Data that is “Encrypted” is out of the scope of the Law.

Whilst all understand the need to protect sensitive data holistically (such as NIST Cyber Security Framework or 12 prescriptive PCI DSS guidelines) their cyber security priorities are misguided to say easy aspects and not addressing “what happens” when these fail? Encryption of data is the only direct protection measure that renders data unreadable compared to upgrading firewalls or virus and malware, IPS, log monitoring, etc. I am saying you need all methods but unless you have implemented enterprise grade encryption you are still unprotected like driving a car without “seatbelts”. “Enterprise grade encryption” as a cyber measure is the “seat belt” that saves lives in car accidents. Industry experts predict a relentless continuation of data breaches this year and penetration testing have proven perimeter defense is easily penetrable.

Randtronics has taken the challenge to make encryption easy and is innovating in many areas. We have already reduced deployment effort to days, use familiar standard components so that less skilled people can deploy and maintain systems.
I welcome discussions via email or phone as through your feedback we will be challenged to continue to innovate to the point where businesses and users do not need to be intimidated when using encryption as the worlds most powerful tool to protect their sensitive data.

Experts predict data breaches will continue at relentless pace, let Randtronics secure your business with “Enterprise grade ubiquitous encryption technology”. Time is of the essence. Why not be pro-active? I invite you to let Randtronics and its global distributors and resellers assess and assist your business directly.

Yours sincerely,
Bob K Adhar, BE, MBA, CISSP
Founder and CEO