Own the keys, not the HSM

nShield as a Service is a subscription-based solution for generating, accessing, and protecting cryptographic key material, separately from sensitive data, using dedicated FIPS 140-2 Level 3 certified nShield Connect HSMs. The solution delivers the same functionality as on-premises HSMs and the benefits of a cloud service deployment, without the need to host and maintain the appliances.

Ready for migration or a mixed approach

Because nShield as a Service benefits from the same unique Security World architecture as on-prem nShield deployments, you can easily migrate your cryptographic operations from on-prem to the cloud or use a hybrid approach, mixing both cloud-based and on-prem nShield HSMs.

Simplify your migration

Looking for a pain free migration without the hassle? The Entrust Cloud Concierge service delivers a seamless transition from your on-premises nShield HSM estate to nShield as a Service. Our Professional Services team will work with you to plan and execute the smooth migration of your existing keys, clients, and applications.

Beyond Security

nShield as a Service Benefits

mapmarker icon white


Regional datacenters facilitate geo-fencing to meet cloud data security and data sovereignty mandates.

cloud icon

Crypto Security + Cloud Strategy

Advance your cloud-centric strategies with FIPS 140-2 Level 3 protection for your business-critical apps and data.


Maintain Full Control of Your Keys

Supports multi-cloud/hybrid deployments with the same consistent toolset. Flexibility to migrate workloads on premises or to another CSP.

laptop mobile icon

Secure Code Execution

The CodeSafe secure execution capability provides on-demand access to your organization's secure, sensitive code protected inside the HSM.

Choose the service and level that’s right for you

Basic, Standard, Premium or Enterprise as Self Managed or Fully Managed to meet your needs.

  • Service Options
  • Service Level


Signatures/sec (2K RSA)
Number of HSM Instances
High-Availability - Multi Geo location
Committed SLA
Number of Application Integrations
Fully Managed Option


1 x HSM


2 x HSM


2 x HSM


2 x HSM

Service Features

Access to dedicated nShield Connect hardware hosted in secure datacenter
Use nShield Remote Administration kit to securely connect to and interact with your hosted nShield HSM(s)
Maintenance & Support
Service monitoring
Pre-tested upgrades/patches applied during annual or emergency maintenance
24/7 Support
Full management of Security World installation by Entrust
Security Officer role fulfilled by trusted Entrust personnel
Policy and process development under ISO 27001 compliant policies & procedures
Security World creation
HSM enrollment
Signing ceremonies
Firmware upgrades, completed with customer consent

Self Managed


Fully Managed


    Tech Specs


    • IPsec tunnel w/ pre-shared keys
    • Between customer Cloud IP space(s) and dedicated, managed nShield HSM environment
    • Transparent to client hosts
    • Takes entire path out of control scope

    Certified Hardware Solutions

    nShield as a Service is built with nShield Connect HSMs, which help our customers to demonstrate compliance while also giving them the assurance that their HSMs meet stringent industry standards.

    nShield Features

    nShield as a Service delivers the same features as on-premises nShield HSMs, including CodeSafe, Web Services Option Pack, Container Option Pack and Database Option Pack.

    Security Compliance:

    • FIPS 140-2 Level 3
    • Common Criteria Certification against EN 419 221-5 Cryptographic Module for Trust Services

    Safety and Environmental Standards Compliance:

    • UL, CE, FCC, RCM, Canada ICES
    • RoHS2, WEEE

    Data Center Certifications

    Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) - Level 1

    data center certification company logos

    Wide Support for APIs, Cryptographic Algorithms and Platforms

    Supported APIs

    • PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI/CNG and Web Services

    Supported Cryptographic Algorithms

    • Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph), Secp256k1,
    • Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES
    • Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160
    • Full Suite B implementation with fully licensed ECC including Brainpool and custom curves

    nShield HSMs offers support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use ECC or South Korean algorithms, optional activation licenses are needed.

    Supported Platforms

    Microsoft Windows and Linux operating systems including distributions from RedHat, SUSE, and major cloud service providers running as virtual machines or in containers.

    Deployment Options

    nShield as a Service is available in a range of options to meet the needs of your organization. For price sensitive customers a self-managed single HSM instantiation is available in the customer’s preferred location. Standard, Premium and Enterprise customers can specify preferred HSM locations to meet their operational, DR and data sovereignty needs while choosing the optimum performance and price point.

    Self-Managed and Fully-Managed Features

    Customer has remote access to dedicated nShield Connect hardware hosted in secure data centers

    The nShield Remote Administration kit lets you securely connect to and interact with your cloud-based nShield HSM(s)

    Maintenance & Support

    • Service monitoring
    • Pre-tested upgrades/patches applied during annual or emergency maintenance windows
    • 24/7 support

    Features Exclusive to Fully-Managed Service

    Full Management of installation

    Security Officer role fulfilled by trusted Entrust personnel

    • Security World creation
    • HSM enrollment
    • Signing ceremonies

    Policy and process development

    Under ISO 27001 compliant policies & procedures

    All operational staff BS7858 cleared (non-US data centers only)

    Firmware upgrades, completed with customer consent

    What our customers are saying...

    Square logo
    Verifone logo
    Memjet logo
    Polycom logo


    We have a long history together and we’re extremely comfortable continuing to rely on Entrust solutions for the core of our business. We have used Entrust HSMs for five years and they have always been exceptionally reliable. We’ve layered a lot of code on top of the HSM; it delivers the performance we need and has proven to be a rock-solid foundation.

    Neal Harris, Security Engineering Manager, Square, Inc


    As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected Entrust HSMs to provide robust security, unmatched performance, and superior scalability across our payment security platforms…

    Joe Majka, Chief Security Officer, Verifone


    The Entrust nShield sales team provided excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breadth, and quality of the product documentation gave us confidence that the solution was well though-out and supported.

    Robert Fairlie-Cuninghame, QAI Technical Lead/Architect, Memjet


    Entrust provided the expertise needed to design and implement a tailored, secure VoIP solution.

    Marek Dutkiewicz, Polycom

    👋 Hello, if you have any
    questions, I'm ready to chat.

    Chat Now