Treasury Keys: Which Secure QES Carrier to Choose in 2026
Every year, accountants at budget-funded institutions, local government employees, state-owned enterprises, and municipal organizations search for information about Treasury keys. However, different users may mean very different things by this term: an electronic signature, a key file, a USB token, or even the software required to work with the Treasury’s online services.
In practice, there is no separate type of electronic signature officially known as a “Treasury key.” To work with the online services of the State Treasury Service of Ukraine, users need a qualified electronic signature (QES), with its private key stored on a secure cryptographic carrier.
This article explains which type of carrier is suitable for such work, who needs it, what should be checked before purchase, and whether modern CYBKEY tokens can be used by public-sector organizations.
What Is Usually Meant by “Treasury Keys”?
The term “Treasury keys” is widely used in everyday professional communication, although it is not entirely accurate from a technical point of view.
It usually refers to one or more of the following:
- the private key of a qualified electronic signature;
- an electronic signature certificate;
- a secure USB token;
- the carrier on which the private key is stored;
- a set of tools used to work with electronic documents.
All these elements form part of the QES infrastructure. A qualified electronic signature allows the system to verify the signer’s identity, sign electronic documents, submit financial reports, access government information systems, and use public online services.
Who Needs Treasury Keys?
Secure cryptographic carriers are used by most public-sector organizations that rely on electronic document management and interact with the State Treasury Service of Ukraine.
They are most commonly required by:
- accounting departments of budget-funded institutions;
- local government authorities;
- educational institutions;
- healthcare institutions;
- state-owned enterprises;
- military units;
- municipal enterprises;
- other organizations that use Treasury online services.
For these institutions, an electronic signature is no longer an occasional technical tool. It is used every day to sign payment documents, contracts, reports, acceptance certificates, and other records submitted or exchanged electronically.
Why an Ordinary USB Flash Drive Is Not Enough
Private keys were once commonly stored as files on standard USB flash drives. This approach was simple and familiar, but it had a serious weakness: the key file could be copied, transferred to another computer, or used by an unauthorized person.
A secure cryptographic carrier works differently. The private key is generated and stored inside the device. Electronic signature operations are also performed within the carrier, so the private key is not transferred to the computer and cannot be copied like an ordinary file.
This approach significantly improves information security and gives an organization greater control over how electronic signatures are used.
Which Carrier Is Suitable for Working with the Treasury?
When choosing a carrier, organizations should consider more than its manufacturer or physical appearance. The first step is to confirm that the specific model meets the requirements of the selected qualified trust service provider and is supported by the software used within the institution.
A suitable QES carrier should:
- support Ukrainian cryptographic algorithms;
- work with the required software systems;
- support the creation and use of qualified electronic signatures;
- provide secure storage for the private key;
- have the documents required to confirm compliance with applicable requirements.
This is why specialized cryptographic tokens, rather than ordinary USB flash drives, are used for electronic signatures in the public sector.
You can learn more about secure electronic signature solutions on the Qualified Electronic Signature page.
Can CYBKEY Tokens Be Used with Treasury Services?
This is one of the most common questions asked by accountants and employees responsible for electronic document management.
CYBKEY tokens are designed to store electronic signature private keys securely and perform cryptographic operations without allowing the key to be copied from the device.
Whether a particular model can be used with Treasury services should be confirmed based on its current certification status, the requirements of the organization’s qualified trust service provider, and compatibility with the software used by the institution. As CYBKEY token certification is being finalized, purchasers should verify the current status of the selected device before deployment.
Once compliance and compatibility have been confirmed, the token can be used to generate or store a QES private key, protect it against copying, and sign electronic documents securely.
Smart Lab specialists can help verify the current specifications of a device, recommend a suitable model, and provide guidance on installation and configuration.
Which Tokens Are Commonly Used?
Several secure cryptographic carriers are available on the Ukrainian market. Well-known solutions include:
- SecureToken;
- Almaz-1K;
- CYBKEY;
- other secure carriers that meet the applicable requirements.
The brand itself should not be the main selection criterion. It is more important to confirm that the specific model has the required status, supports current cryptographic libraries, and is compatible with the qualified trust service provider that issues the organization’s QES.
Compatibility with the operating system, browser, drivers, and software applications used in the institution should also be checked before purchase. This prevents situations in which a carrier formally meets general requirements but cannot be used in a particular working environment.
How to Obtain Keys for Working with the Treasury
The preparation process usually consists of several consecutive steps:
- Determine the requirements of the institution and its software.
- Select a compatible secure cryptographic carrier.
- Purchase the token from a supplier.
- Contact a qualified trust service provider.
- Create or renew the qualified electronic signature.
- Generate or store the private key on the secure carrier.
- Install the required drivers and cryptographic software.
- Test the electronic signature in the system used by the institution.
For a detailed explanation of the process, see our guide “How to Get a QES in Ukraine in 2026”. It covers the main stages, from preparing the required documents to creating and using an electronic signature.
Common Mistakes
Problems with qualified electronic signatures are often caused not by the technology itself, but by an unsuitable carrier, compatibility issues, or failure to follow basic security practices.
Using an Ordinary Flash Drive Instead of a Secure Token
A standard USB drive can only store a file. It does not prevent the private key from being copied and does not perform cryptographic operations inside the device.
Purchasing a Carrier Without Checking Compatibility
Before buying a token, make sure that the specific model is supported by your qualified trust service provider and by the software you use. Otherwise, you may encounter problems when generating a key, signing in to the system, or signing documents.
Using a Certificate That Has Expired
A secure carrier can normally be used more than once, but a QES certificate has a limited validity period. When it expires, the electronic signature must be renewed in time to avoid interruptions in work.
Giving the Token to Another Employee
A private key should be used only by its owner. Giving another person both the token and its PIN creates a risk of unauthorized document signing and makes it difficult to determine responsibility for completed operations.
Failing to Prepare for Device Loss or Lockout
The private key itself cannot be copied from a secure token. However, the organization should retain information about the certificates, the carrier supplier, installed software, and the procedure to follow if the device is lost, damaged, or blocked.
Why a Secure Carrier Is an Investment in Security
For most public-sector organizations, an electronic signature is an essential part of daily operations. Losing access to a private key, compromising it, or being unable to sign an urgent document can cause downtime as well as financial and legal consequences.
A secure cryptographic carrier is therefore not merely a formal requirement. It is an important component of the institution’s information security system.
A cryptographic token helps an organization to:
- store the private key securely;
- prevent the key from being copied;
- control physical access to the signing device;
- work more securely with government information systems;
- continue using the carrier after a scheduled certificate renewal, where permitted by its specifications and the rules of the trust service provider.
For institutions that actively use electronic document management, a secure carrier is one of the simplest ways to improve protection without significantly changing established working processes.
Conclusion
The term “Treasury keys” has become common in the professional environment, although in practice it refers to a qualified electronic signature and the secure cryptographic carrier on which its private key is stored.
Organizations that use the online services of the State Treasury Service of Ukraine should choose not simply a USB device, but a cryptographic token with the required status and confirmed compatibility with their qualified trust service provider and working software.
The correct choice will ensure reliable document signing and provide appropriate protection for the private key throughout everyday use.
Need a Token for Working with Treasury Services?
Smart Lab will help you select a secure QES carrier for a public institution, local authority, municipal enterprise, or business. We will check its compatibility with your software and provide guidance on configuration and secure use.
