Buy a token for qualified electronic signature

A token for QES is a hardware device for securely storing the key of a qualified electronic signature. In Ukraine, the term EDS was used more often in the past, but today the term QES — qualified electronic signature — is used for a legally significant electronic signature.

A hardware token replaces the usual file-based key that many people store on a computer, USB flash drive or in the cloud. Inside the token, the key is created and stored in a protected environment, while signing operations are performed with the participation of the device itself. It is a convenient tool for individual entrepreneurs, accountants, directors, lawyers and companies that regularly work with electronic documents, tax reporting or government services.

Why you need a hardware token

The main purpose of a token is to securely store the electronic signature key and use it to sign documents, reports and actions in online services. QES is used where it is important to confirm the identity of the signer and the legal significance of an action: when submitting reports, signing contracts, working with banks, state registers and electronic document management systems.

For business, a hardware token is especially useful. QES is used to sign tax and financial reports, acts, contracts, documents for participation in public procurement and other actions where an electronic signature of a director, accountant or authorized employee is required.

For individuals, a token can also be useful if they need to regularly use government online services, sign documents, work with Diia, the tax service, notarial or other services that support QES.

Why a token is more reliable than a file-based key

A file-based QES key is a file that can be stored on a computer, USB flash drive, in the cloud or on another storage device. This format is convenient, but it has a weak point: the file can be accidentally copied, sent, lost or saved in an unsafe place. If the computer is infected with malware, an attacker may try to access the key file and its password.

A hardware token reduces this risk. The private key is stored inside the device and is not used as a regular file that can simply be copied through a file manager. Signing operations are performed through the token, and the external program receives the signature result, not the private key itself.

Additionally, the token is protected by a PIN code. After several incorrect entry attempts, the device may be locked, which makes access guessing more difficult. If the token is lost or there is a suspicion that access to it may have been compromised, the QES certificate can be revoked through a qualified trust service provider and a new one can be issued.

Which services a token works with

QES tokens are used with Ukrainian government, banking, accounting and commercial services that support qualified electronic signatures. These may include the taxpayer’s electronic cabinet, Diia, Diia.Business, Prozorro, state registers, services for registering companies, individual entrepreneurs and other legally significant actions.

For document management and accounting, tokens are used with M.E.Doc, Vchasno, SOTA, iFin and other popular systems. Banks for legal entities may also use QES to confirm payments and work with client-bank systems.

Before buying, it is important to check which type of token is supported by your service, bank, certification authority or document management system. In most cases, modern tokens work with Windows, macOS and Linux, but compatibility should always be checked in advance for your specific use case.

How to choose a token for QES

When choosing a token, you should consider compatibility with your certification authority, operating system and the services where you plan to use the signature. For accounting, tax reporting, document management and banking operations, it is important that the token is properly supported by the required software.

It is also worth paying attention to the casing. Plastic models are usually cheaper and suitable for occasional use. A metal casing handles daily work, frequent connection to a computer, carrying in a bag and active office use better.

If the token is purchased for a company, it is better to understand in advance how many employees will sign documents, what roles they will have in the system and how many separate keys will be required. Each signer usually needs a separate key and a separate certificate.

Buy a token in Ukraine

The Lwallet catalog includes SecureToken hardware tokens for qualified electronic signatures. There are models in plastic and metal casings — you can choose an option for occasional use or for daily work with documents and reports.

If you are not sure which model suits your needs, we will help you figure it out and choose a token for your scenario: individual entrepreneur, accounting, company, document management, client-bank system or work with government services.

We have a showroom in Lviv where you can see the devices in person and ask a manager your questions. Self-pickup is available for Kyiv. We deliver across Ukraine and internationally.

You can place an order on the website, by phone or through a chat with a manager.