Encryption can be a powerful cybersecurity instrument. But, unleashing the full power of encryption requires many encryption keys, which must be tracked and changed. Current cybersecurity products are not up to this task, impeding the effective implementation of encryption. As part of a United States Air Force contract, Semper Fortis Solutions validated a new approach to key management based on the Key Management Interoperability Protocol (KMIP). Fornetix was established to mature the approach and Key Orchestration is the mature capability: it enables agile, dynamic key management which will work with existing encryption devices. Key Orchestration centralizes the management of all keys and certificates and provides encryption policy enforcement at a granular level that is not delivered by traditional Key Management Systems (KMS). This reduces the attack surface in the event of a security breach and prohibits lateral movement. Key Orchestration consists of four main components, which allow an organization to manage all encryption keys across all devices and servers throughout your enterprise—on premise, in the cloud, on IoT devices, at rest, or in motion. 1. The Key Orchestration Appliance (KOA) which comes in two models—KOA-1000 and KOA-2000—provides key management administration that is compliant with KMIP and which is configured to operate using the customer organization’s policies for key management. 2. The Key Orchestration Client is installed on a server or device and can push or pull keys generated by KOA or any other KMIP-compliant server. 3. The Key Orchestration Agent is used to manage keys on devices that are not compliant with KMIP and therefore the KOTM client cannot be installed. 4. The Key Orchestration API can be used to build custom applications or clients that can communicate with the KO Appliance. Key Orchestration includes a standard capability to integrate Hardware Security Modules (HSMs) using PKCS#11; this provides for additional security and allows an organization to continue to use existing HSMs for storage of their cryptographic keys.