LEGIC Orbit

LEGIC's HSM-backed key management service. Generates "never-visible" random keys inside LEGIC HSMs — the keys never leave the HSM in plaintext form. Recommended by LEGIC over customer-supplied master keys.

Combined with LEGIC's installed base of secure-module-based access reader/lock hardware, Orbit lets wallet-credential encryption keys reach access hardware without ever appearing in plaintext outside an HSM. Required for encryption key rotation: rotation is supported only when Orbit is the key management path.

Orbit is co-located with both LEGIC's Apple-side service (Apple Credential Provider & Orbit Service) and Google-side service (Google Access Hub & Orbit Service) — the same Orbit backend serves both wallet platforms. The keyset is configured once at project onboarding (step 2 of both the Apple and Google provisioning flows) and applies to all credentials issued under that project.

Architecturally distinct from Wavelynx and HID: LEGIC's mobile- credential encryption keys are INDEPENDENT of physical card encryption keys. Wavelynx and HID both diversify per-credential keys from a master that's also used for physical-card encryption; LEGIC isolates the wallet key from the physical card key entirely.