ETAS Key Management System

Securing the software-defined vehicle (SDV) – from production to fleet

ETAS Key Management System is an enterprise-grade automotive key management solution designed for software-defined vehicles (SDV). It secures cryptographic keys across development, manufacturing, and fleet operations. From secure key injection in production to certificate management, authentication, and OTA software signing, the platform centrally manages encryption, digital signatures, and device identities at scale. Built for OEMs and Tier-1 suppliers, the solution protects ECUs, vehicle backends, and manufacturing environments while ensuring compliance with automotive cybersecurity regulations such as ISO 21434 and UNECE R155.

Get demo version

Screenshot of the ETAS Key Management System, showcasing securing the Software-Defined Vehicle (SDV) from production to fleet

The architecture of end-to-end key management solution

ETAS SaaS central key management backend diagram: customer, 3rd party, and SaaS interaction, authentication, and key services.

Your benefits

Automotive manufacturers and Tier-1 suppliers rely on secure, compliant, and scalable automotive key management to protect software-defined vehicles (SDV) from production to fleet. The ETAS Production Key Platform delivers enterprise-grade cryptographic security tailored for automotive environments.

Automotive-native

Purpose-built automotive key management enabling secure ECU provisioning, AUTOSAR SHE injection, automotive PKI, and ISO 21434-compliant production security.

Regulatory compliance

ISO 21434 and UNECE R155-aligned architecture enabling compliant automotive key management, secure production, and regulated SDV lifecycle governance.

HSM-based infrastructure

HSM technology and end-to-end key protection provide a very high level of security.

Flexible global deployment

SaaS or on-premise deployment with optional Production Key Server enabling secure, low-latency global automotive manufacturing operations.

Car software-defined vhicle with numbers one and zero overlay

Automotive key management for software-defined vehicles

The ETAS Key Management Platform delivers enterprise-grade cryptographic security for software-defined vehicles. It protects vehicle production, onboard communication, cloud connectivity, and OTA software updates through centralized, HSM-based key lifecycle management. Designed for OEMs and Tier-1 suppliers, the platform supports compliance with ISO 21434 and UNECE R155 while enabling scalable, secure vehicle ecosystems. Supports secure key management for:

Secure onboard communication between ECUs (SecOC)
Secure backend and cloud connectivity
Device and user authentication with certificate-based authorization
Secure OTA and firmware updates with authenticated software signing.

Highlights at a glance

Requests per day

Certificates per year

The ETAS Key Management System has been in operation for more than 10 years and has already secured millions of vehicles

Use cases of the ETAS Key Management System (KMS)

Proven cybersecurity expertise in Key Management System (KMS) reducing complexity and overall cost.

Digital signing ensures that only authentic software / configurations can be deployed on devices / ECUs / vehicles / fleets.

HSM-based signing key generation and protection
Signing keys are generated inside HSM and stored protected with FIPS 140-2 certified HSMs. Private keys remain non-exportable and protected against unauthorized access.
CMS (PKCS#7) on roadmap
Signing with CMS format (RFC 5652) planned to ensure interoperability with existing development, flashing, and OTA systems.
Signing of hash values
Signing of pre-calculated hash prevents uploading of sensitive customer data to the KMS.
Optional encryption of firmware
Enables confidentiality protection of firmware packages. Combined encryption and signing within a single workflow on roadmap.
Support for OTA / FOTA workflows
Designed for secure update distribution in software-defined vehicle and IoT environments.
Audit logging of signing operations
Application-level logging ensures traceability of key usage and signing activities.

The build in product PKI & symmetric key management enables secure communications within and beyond systems, e.g. secure onboard communication (SecOC), cloud connectivity, charging.

Root CA, Sub-CA, and end entity certificate creation
Supports hierarchical PKI structures including mixed hierarchies aligned to OEM security architectures.
CSR processing (PKCS#10)
Standard-compliant Certificate Signing Request (CSR) handling enables integration with internal or external provisioning systems, e.g. Local Registration Authority (LRA).
Certificate revocation and CRL generation
Revocation management with automated CRL publication for lifecycle control.
Certificate renewal via CMP
Supports structured in-field certificate renewal using Certificate Management Protocol (CMP) according to RFC 4210.
Device specific symmetric keys
HSM-based derivation of pseudorandom symmetric keys from a KMS internal master key suitable for device individual cryptographic keys – helping you to master the shift to e-mobility and optimize performance.

Ensure that only authorized users / devices (e.g., testers) get access, e.g. diagnostic (UDS 27, UDS 29), telematics.

Symmetric and asymmetric key generation
Secure key creation (derivation) inside HSM with standardized algorithms.
Password-based interface protection
Device specific creation (derivation) of password for interface lock and unlock, e.g. JTAG
MAC generation (NIST SP 800-38B)
Supports message authentication code generation, e.g. for seed-key creation in scope of Unified Diagnostic Services (UDS)
Challenge signing for unlock with asymmetric key or certificate
Support of Unified Diagnostic Services (UDS) according to ISO 14229
Authentication with PKI Certificate Exchange (APCE) and Authentication with Challenge-Response (ACR)

Encryption of sensitive data to prevent eavesdropping, e.g. software, firmware packages, log files, etc.

Confidentiality protection: Encrypts firmware, configuration data, and sensitive cryptographic material with AES CBC and standard AES padding (PKCS#7) to prevent unauthorized access.
HSM-based key security: Encryption keys (128/256 bit) are generated, processed, and protected inside the HSMs.
Secure key transport: Symmetric keys are securely wrapped with a device-specific public key for protected export and transfer to the target device.
Optional signing: Combined encryption with signing and CMS output to ensure authenticity and integrity with a single workflow on roadmap
Controlled access management: Fine-grained role-based access control for encryption key usage and administration.
Confidentiality protection: Encrypts firmware, configuration data, and sensitive cryptographic material with AES CBC and standard AES padding (PKCS#7) to prevent unauthorized access.
HSM-based key security: Encryption keys (128/256 bit) are generated, processed, and protected inside the HSMs.
Secure key transport: Symmetric keys are securely wrapped with a device-specific public key for protected export and transfer to the target device.
Optional signing: Combined encryption with signing and CMS output to ensure authenticity and integrity with a single workflow on roadmap
Controlled access management: Fine-grained role-based access control for encryption key usage and administration.

Transport, storage, injection and registration of sensitive data between KMS and connected system, e.g. injection of trust anchor or master key, confidential handling of software images or configuration data, CSR upload to OEM backend.

End-to-End protected transport: Confidential and authenticated import of sensitive data such as trust anchors, master keys, software images or configuration data from suppliers, OEM systems, or third parties.
HSM-based storage: Sensitive material imported to the KMS is securely stored with HSM-based protection.
Secure device registration: Secured upload of initial device key material, e.g. CSR or symmetric key, to OEM systems or third parties. Issuing of initial device certificates with Local Registration Authority (LRA).
Secure injection into devices: Controlled provisioning of sensitive data ensuring confidentiality, authenticity and integrity.
Production-ready architecture: Supports centralized orchestration with optional PKS for high-availability plant operations. HSM-protected key transfer between KMS backend and PKS in production.

Secure, HSM-protected key injection ensuring authenticated, device-specific provisioning across global automotive production environments.

End-to-End protected injection: Authenticated and HSM-encrypted transfer of key material from KMS backend to Production Key Server (PKS).
Device-specific key provisioning: Secure injection of unique keys and credentials per ECU or device or chip.
AUTOSAR SHE support: Secure key injection and key update compliant with AUTOSAR Secure Hardware Extension (SHE).
OEM key integration: Secure handling and injection of externally provided sensitive data and key material, e.g. device specific key containers, trust anchors, master keys, software images, configuration data, etc.
Local production availability: Optional PKS enables low-latency and high-availability plant operations.
Centralized governance & control: Central orchestration of global production sites with plant-based and tester-based authorization.

Digital signing

Digital signing ensures that only authentic software / configurations can be deployed on devices / ECUs / vehicles / fleets.

HSM-based signing key generation and protection
Signing keys are generated inside HSM and stored protected with FIPS 140-2 certified HSMs. Private keys remain non-exportable and protected against unauthorized access.
CMS (PKCS#7) on roadmap
Signing with CMS format (RFC 5652) planned to ensure interoperability with existing development, flashing, and OTA systems.
Signing of hash values
Signing of pre-calculated hash prevents uploading of sensitive customer data to the KMS.
Optional encryption of firmware
Enables confidentiality protection of firmware packages. Combined encryption and signing within a single workflow on roadmap.
Support for OTA / FOTA workflows
Designed for secure update distribution in software-defined vehicle and IoT environments.
Audit logging of signing operations
Application-level logging ensures traceability of key usage and signing activities.

Onboard & offboard communication

The build in product PKI & symmetric key management enables secure communications within and beyond systems, e.g. secure onboard communication (SecOC), cloud connectivity, charging.

Root CA, Sub-CA, and end entity certificate creation
Supports hierarchical PKI structures including mixed hierarchies aligned to OEM security architectures.
CSR processing (PKCS#10)
Standard-compliant Certificate Signing Request (CSR) handling enables integration with internal or external provisioning systems, e.g. Local Registration Authority (LRA).
Certificate revocation and CRL generation
Revocation management with automated CRL publication for lifecycle control.
Certificate renewal via CMP
Supports structured in-field certificate renewal using Certificate Management Protocol (CMP) according to RFC 4210.
Device specific symmetric keys
HSM-based derivation of pseudorandom symmetric keys from a KMS internal master key suitable for device individual cryptographic keys – helping you to master the shift to e-mobility and optimize performance.

Security Access

Ensure that only authorized users / devices (e.g., testers) get access, e.g. diagnostic (UDS 27, UDS 29), telematics.

Symmetric and asymmetric key generation
Secure key creation (derivation) inside HSM with standardized algorithms.
Password-based interface protection
Device specific creation (derivation) of password for interface lock and unlock, e.g. JTAG
MAC generation (NIST SP 800-38B)
Supports message authentication code generation, e.g. for seed-key creation in scope of Unified Diagnostic Services (UDS)
Challenge signing for unlock with asymmetric key or certificate
Support of Unified Diagnostic Services (UDS) according to ISO 14229
Authentication with PKI Certificate Exchange (APCE) and Authentication with Challenge-Response (ACR)

Data encryption

Encryption of sensitive data to prevent eavesdropping, e.g. software, firmware packages, log files, etc.

Confidentiality protection: Encrypts firmware, configuration data, and sensitive cryptographic material with AES CBC and standard AES padding (PKCS#7) to prevent unauthorized access.
HSM-based key security: Encryption keys (128/256 bit) are generated, processed, and protected inside the HSMs.
Secure key transport: Symmetric keys are securely wrapped with a device-specific public key for protected export and transfer to the target device.
Optional signing: Combined encryption with signing and CMS output to ensure authenticity and integrity with a single workflow on roadmap
Controlled access management: Fine-grained role-based access control for encryption key usage and administration.
Confidentiality protection: Encrypts firmware, configuration data, and sensitive cryptographic material with AES CBC and standard AES padding (PKCS#7) to prevent unauthorized access.
HSM-based key security: Encryption keys (128/256 bit) are generated, processed, and protected inside the HSMs.
Secure key transport: Symmetric keys are securely wrapped with a device-specific public key for protected export and transfer to the target device.
Optional signing: Combined encryption with signing and CMS output to ensure authenticity and integrity with a single workflow on roadmap
Controlled access management: Fine-grained role-based access control for encryption key usage and administration.

Secure data provisioning

End-to-End protected transport: Confidential and authenticated import of sensitive data such as trust anchors, master keys, software images or configuration data from suppliers, OEM systems, or third parties.
HSM-based storage: Sensitive material imported to the KMS is securely stored with HSM-based protection.
Secure device registration: Secured upload of initial device key material, e.g. CSR or symmetric key, to OEM systems or third parties. Issuing of initial device certificates with Local Registration Authority (LRA).
Secure injection into devices: Controlled provisioning of sensitive data ensuring confidentiality, authenticity and integrity.
Production-ready architecture: Supports centralized orchestration with optional PKS for high-availability plant operations. HSM-protected key transfer between KMS backend and PKS in production.

Key injection in production

Secure, HSM-protected key injection ensuring authenticated, device-specific provisioning across global automotive production environments.

End-to-End protected injection: Authenticated and HSM-encrypted transfer of key material from KMS backend to Production Key Server (PKS).
Device-specific key provisioning: Secure injection of unique keys and credentials per ECU or device or chip.
AUTOSAR SHE support: Secure key injection and key update compliant with AUTOSAR Secure Hardware Extension (SHE).
OEM key integration: Secure handling and injection of externally provided sensitive data and key material, e.g. device specific key containers, trust anchors, master keys, software images, configuration data, etc.
Local production availability: Optional PKS enables low-latency and high-availability plant operations.
Centralized governance & control: Central orchestration of global production sites with plant-based and tester-based authorization.

Technical features

Proven cybersecurity expertise in Key Management System (KMS) reducing complexity and overall cost.The ETAS Key Management System provides enterprise-grade cryptographic infrastructure for software-defined vehicles (SDV), secure production environments, and global fleet operations. Built for OEMs and Tier-1 suppliers, it combines comprehensive PKI, secure key injection, HSM-based protection, and scalable deployment models aligned with ISO 21434 and UNECE R155.

X.509 PKI & certificate lifecycle management

Full X.509 certificate lifecycle management: Creation and management of Root CA, Sub-CA, and device certificates.
Secure key generation in HSM: Asymmetric key pairs generated and protected inside FIPS 140 certified Hardware Security Modules (HSM).
Certificate issuance & CSR handling: Supports CSR-based certificate enrollment and secure CA import.
Certificate profiles & policy control: Flexible definition of certificate attributes, validity, extensions, and usage rules.
Revocation & status management: CRL management with roadmap support for OCSP.
Automated certificate renewal (CMP): Secure certificate renewal for devices in production and field.
Fine-Grained access control (RBAC): Role-based and object-level permissions for CA keys and cryptographic material.

Signing & encryption

HSM-protected signer keys: Private keys generated and securely stored by HSM protection
Hardware-based key generation: Highest quality for random number generation within HSM.
Data signing & encryption: Digital signatures and data encryption performed inside the HSM.
Integrity & authenticity assurance with KMS: Enables trusted software deployment and secure digital access.

Symmetric keys & device credential management

Device-Specific key creation: Secure generation of individual symmetric keys and passwords by derivation from a KMS internal master key.
Master key derivation: Efficient derivation of device keys from protected master keys inside HSM. Deterministic re-creation, e.g. for repair, diagnostics, return analysis, etc.
HSM-Protected master keys: Secure creation, import, and storage of master keys inside certified HSMs.
Secure key injection support: Enables protected provisioning and lifecycle updates of symmetric keys.
Message authentication (MAC): Supports secure authentication for digital access.

Production key server (PKS) for secure key injection

Secure implementation of cryptographic material during production
HSM-backed generation and storage of key material in production
End-of-line security operations and validation
OEM certificate provisioning and key distribution
Encrypted and authenticated transport of key material between backend and plant
Operation independent of connectivity to the cloud or backend
Local redundancy in customer controlled plant infrastructure
Secure randomness seeding and key generation
Integration into production lines and test systems
Support for multiple plants in star-topology architecture
Centralized enterprise-wide key governance via KMS backend

Supported cryptographic algorithms

Modern asymmetric algorithms: Supports RSA and ECC with usual key lengths for certificates, signing, and secure communication. PQC roadmap with ensured readiness.
Symmetric algorithms– Supports AES (128 / 192 / 256 bit)
Hash functions – SHA-2 family (224 / 256 / 384 / 512 bit) for integrity protection and secure data signing.
Signing & encryption mechanisms – RSA-based signing and encryption and ECDSA signing. AES-based encryption and MAC creation.
Legacy compatibility – Supports older algorithms for long-lifecycle automotive devices.

Identity & access management

Single Sign-On Integration – Seamless connection to customer Identity Providers (OIDC / OAuth 2.0) with enforced Multi-Factor Authentication (MFA / 2FA).
Secure Machine Authentication – Certificate-based mutual TLS (mTLS) for automated systems and production environments.
End-to-End TLS Protection – All user and machine communication secured via encrypted and authenticated channels.
Role-Based & Fine-Grained Authorization – RBAC combined with object-level permissions for cryptographic material.
Audit logging - secure logging of all sensitive operations with long-term storage
Production Access Control – PKS controlled key access per plant, production line, or tester.
Field Authentication – Certificate renewal and revocation handling for field devices.
Hardened SaaS Operations – Enforced MFA, audited access restricted to selected ETAS administrators, critical operations by two administrators, regular security testing, continuous vulnerability & security monitoring

Secure integration & APIs

Dedicated private tenant: Each customer gets a separate tenant with strong separation of data, keys, and access control.
REST, SOAP & CMP interfaces: Simple to use APIs for certificate management, signing, key provisioning, and automation.
Web-based management GUI: Intuitive interface for certificate, key, and permission administration
Secure-by-design interfaces: All APIs protected by TLS (including mTLS) with strong authentication.
Production integration: Local plant APIs with PKS for high-performance, high availability, and secure key operations.
Standards-compliant formats: Supports common industry formats (CSR, CRL, CMP, signed/encrypted data).
Usage transparency: Built-in statistics and management insights via GUI and API.

Flexible deployment models

SaaS or on-premise deployment – Operate as fully managed ETAS SaaS or within your own infrastructure.
Private tenant architecture – Dedicated customer environment with strict separation of data, keys, and access control.
Always latest version – Continuous updates with new features, bug fixes and security fixes included.
Optional production key server (PKS) – Local plant deployment for high availability and low latency.
Centralized global orchestration – Manage multiple plants and third-party systems from one backend.
Shared responsibility model – Clear operational ownership for SaaS and on-premise setups.
Seamless integration – Web UI and APIs with support for Single Sign-On (OIDC-compatible IdP).