# Key Management FAQ

Phoeniqs Cloud HSM is a single-tenant, dedicated hardware security module service built on FIPS 140-2 Level 4 IBM CryptoExpress 8S hardware. It implements a Keep Your Own Key (KYOK) model: you generate and control master keys on IBM Trusted Key Entry (TKE) smart cards under quorum ceremonies, and Phoeniqs operates the infrastructure without access to your key material. Phoeniqs Cloud KMS (coming soon) is a multi-tenant key management service that simplifies key lifecycle management through a user-friendly API catalog, with Bring Your Own Key (BYOK) support for importing existing keys. Both are built on certified HSMs and confidential computing, but HSM is for organisations that need exclusive key custody and dedicated hardware domains.

No. Under the KYOK model, master keys are created during a formal key ceremony at Phoeniqs' secure facility in Basel and are held exclusively by your designated Master Key Custodians on TKE smart cards. Phoeniqs cannot access, extract, or override your keys, smart card PINs, or quorum authorization rules. All administrative commands require M-of-N customer administrator signatures before the HSM accepts them. After the ceremony, you are responsible for generating and managing operational keys; Phoeniqs is responsible only for HSM infrastructure availability and maintenance.

Phoeniqs Key Management is built on Zero Trust principles and FIPS 140-2 Level 4 certified HSMs — the highest level of physical and logical security certification, with tamper detection, auto-zeroization, and certified random number generation. HSM services run inside IBM Hyper Protect Virtual Servers with hardware-enforced confidential computing, so cloud administrators cannot access memory or key operations. The platform is hosted in Switzerland for data sovereignty and supports both industry-standard cryptography (AES, RSA, ECDSA) and post-quantum algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium) for long-term protection.

Common use cases include database and object storage encryption, PKI and TLS certificate signing, code signing for software supply chains, tokenization and digital asset custody, OAuth/JWT token signing, API key protection, and electronic signatures. The service exposes enterprise PKCS#11 and gRPC (Grep11) APIs, so applications connect via mTLS certificates you manage. Dual data centre deployment on separate IBM LinuxONE systems provides automatic failover, making it suitable for mission-critical workloads such as online banking, identity systems, and regulated data protection where you must prove that only you control the keys.