Back to home
Products/03 — ATM Keygen
03 — Product · ATM Keygen

Hundreds of ATMs, a single ceremony, zero manual transcription.

ATM Keygen automates the TDES key-generation ceremony for entire ATM fleets on Thales payShield 10k HSM — printing numbered Sobreflex envelopes and exporting the signed log, without cryptographic material ever appearing on screen.

Request a live demo
Reference specification
TDES · KCV
Batch generation of symmetric keys on payShield 10k, with per-envelope verifiable KCV.
PlatformEmbedded device · hardened Linux
Disk encryptionFull disk encryption
NetworkAir-gapped · no external interfaces
HSMThales payShield 10k
PrinterDot-matrix · continuous form
ExportCSV
The problem

Transcribing keys by hand is a risk the industry shouldn’t be paying for anymore.

Key-generation ceremonies are critical security processes that have historically been run by hand. ATM Keygen removes that flow — without giving up control, chain of custody or auditable evidence.

Before · manual ceremony

Hours, spreadsheets, faith.

  • 01Operators transcribe cryptographic components by hand, one by one.
  • 02Each ATM consumes minutes of human attention with no signed traceability.
  • 03Transcription errors are caught late — or not at all.
  • 04Ceremony evidence lives in Excel sheets and manual logs.
With ATM Keygen

Minutes, envelopes, evidence.

  • The operator authenticates with two factors and lets the HSM do the work.
  • Hundreds of ATMs are processed in a single auditable ceremony.
  • Every key prints onto a numbered Sobreflex envelope, never going through the screen.
  • The log is signed with SHA-256 and exported to the IronKey USB.
Interface

A deliberately minimal TUI.

On an embedded device running hardened Linux: no network, no mouse, no distractions. The interface is designed so an operator follows the exact ceremony script and does nothing else.

· Screen 1 — dual authentication
ATM KEYGEN · AUTHENTICATION· step 1 of 7
v0.9.4-rc
Operator
op.ana_______________
Credential · 1
●●●●●●●●●●●●●●●●_____
Credential · 2
●●●●●●●●●●●●_________
NOTICE Credentials are fully masked. On failure, the system does not reveal which one was wrong.
ENTER CONFIRM · TAB NEXT FIELD · ESC EXIT
LMK NOT AUTHORIZED ○
· Screen 5 — batch generation
ATM KEYGEN · CEREMONY IN PROGRESS· 14:32:08 UTC
v0.9.4-rc · build 1142
Institution
BANCO REGIONAL CO · ABA 0223087
Ceremony
CER-2026-0418-014
Custodians
M. RESTREPO · R. CARDOZO
Operators
op.ana · op.luis
GENERATING TDES KEYS
ATM 00142████████████████████████████████████████OK
ATM 00143████████████████████████████████████████OK
ATM 00144████████████████████████████████████████OK
ATM 00145████████████████████████████████████████OK
ATM 00146█████████████████████████████░░░░░░░░░░░
ATM 00147░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░PENDING
ATM 00148░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░PENDING
Progress
████████████████████░░░░░░░░░░░░░░░░░░░░142 / 287
Failed
0
Envelopes printed
141 · series SOB-CO-026-04XXXXX
F1 HELP · F2 PAUSE · F5 PRINT · F10 CANCEL
LMKAUTHORIZED ●
Zero pointers
100% keyboard navigation. Shortcuts shown in the status bar.
Zero material on screen
Cryptograms, KCV and components are never rendered; they go straight to the printer.
Errors without leaks
If authentication fails, the system does not reveal which factor was wrong.
Ceremony flow

Seven steps. A single shift.

The flow is linear by design: each screen unlocks the next only if the previous one closed without errors. No alternative paths, no shortcuts.

01

Dual authentication

The operator completes a dual authentication, with both factors masked.

login
02

Institution data

ABA and the financial institution’s name are bound to the ceremony.

IF · ABA
03

Custodian registry

Custodians identified for the ceremony, with card-based authorization on the HSM.

custodians · HSM
04

Parameters and ATM list

Key type selection and upload of the ATM ID list. Automatic deduplication.

TDES · ATM IDs
05

Batch generation

Component generation and cryptogram assembly inside the HSM. Progress indicator and retry of failed runs.

HSM · batch
06

Secure printing

One Sobreflex envelope per successful ATM. The envelope serial is bound to the ATM ID.

Sobreflex
07

Export + close-out

CSV exported to USB and verified with SHA-256. Close-out only if the checklist is complete.

IronKey · SHA-256
Pillars

Four design decisions that make all the difference.

01

Dual authentication with masking

Login with dual authentication: two independent factors, both fully masked. Error messages never reveal which one was wrong, eliminating the most obvious side-channel.

02

payShield 10k HSM integration

LMK status check, authorization via custodian card insertion, component generation and cryptogram assembly — all orchestrated from the interface.

03

Printing without on-screen rendering

Cryptograms, KCVs and components are not shown in the TUI. They print directly on numbered Sobreflex envelopes, and each envelope serial is bound to its ATM ID in the record.

04

Audit with no secrets in the clear

Each session produces an audit log with timestamp, actor, action and result — without storing components, keys or cryptographic material in the clear. The log is signed with SHA-256.

Operating environment

A single box, no network, encrypted down to the disk.

ATM Keygen runs on a dedicated embedded device, on customer premises. No network, no shared screen, no general-purpose software — the device’s only function is to run the ceremony.

01

Dedicated embedded device

A single piece of hardware, physically isolated, installed on customer premises. No shared use, no software outside the ceremony.

embeddedon-site
02

Air-gap by default

No network interfaces enabled. The only I/O surfaces are the HSM reader, the printer and the USB port dedicated to encrypted export.

no Wi-Fino Ethernet
03

Full disk encryption

Full cold-disk encryption. Without the passphrase, a powered-off device is a brick — no recoverable residue from previous ceremonies.

FDEno residue
04

Dot-matrix printer

Continuous form, no networked buffer. Each envelope prints with a control serial and is bound to an ATM ID in the closing CSV.

continuouscontrol serial
Audit and close-out

Every action is recorded. No secret leaves the HSM.

The audit log captures timestamp, actor, action and result of every step — never storing components, keys or KCV in the clear. The session only closes when the full checklist is validated.

Time
Actor
Event
Detail
R
14:02:11op.anaAUTH.LOGIN_OKdual authentication completedOK
14:02:48op.luisAUTH.LOGIN_OKdual authentication completedOK
14:03:22op.anaCEREMONY.INITCER-2026-0418-014 · BANCO REGIONAL COOK
14:04:07op.anaCUSTODIAN.AUTHM. RESTREPO · HSM card 1/2OK
14:04:31op.luisCUSTODIAN.AUTHR. CARDOZO · HSM card 2/2OK
14:04:33systemHSM.LMK_AUTHORIZEDpayShield 10k · LMK state = authorizedOK
14:06:18op.anaBATCH.START287 ATM IDs loaded · 0 duplicatesOK
14:28:54systemBATCH.KEY_GENERATEDATM 00141 · envelope SOB-CO-026-04XXX139OK
14:29:02systemBATCH.KEY_GENERATEDATM 00142 · envelope SOB-CO-026-04XXX140OK
14:29:11systemPRINT.ENVELOPE_OKenvelope 141 printed · dot-matrixOK
audit.log · SHA-2569c41a8…7e2f3d
· Close-out checklist
The device only allows shutdown if every item is green. There is no way to skip this step from the TUI.
  • LMK deauthorized
    The payShield 10k HSM is taken out of authorized mode before anything else.
  • Signed log
    Audit log closed and signed with SHA-256. Hash printed on the ceremony’s last envelope.
  • CSV exported
    File sent to the IronKey USB and verified with SHA-256 before unmounting.
  • Envelopes reconciled
    Number of printed envelopes = number of processed ATMs. Any mismatch blocks close-out.
  • Operators acknowledge
    Double on-screen confirmation. No operator can close alone.
Let’s talk

Is your next ceremony still done by hand?

We coordinate a live demo on a lab payShield 10k. In 45 minutes you see the full ceremony, the printed envelopes and the signed CSV at close-out.

· Capabilities at a glance
Batch generationYes · one ceremony, hundreds of ATMs
Remote rotationNo · ATM Keygen does not load or rotate keys on the ATM
Material on screenNever · everything goes straight to the printer
Audit logSHA-256 signed · no secrets in the clear
Supported HSMThales payShield 10k
ExportCSV to USB · SHA-256 verified