CodeSafe
Develop and execute sensitive code within a FIPS 140-3 Level 3 certified nShield hardware security module.
Maximize application security
CodeSafe is a runtime on the Entrust nShield HSM that allows third-party developers to run their own code within the secure boundary of the module. Using the CodeSafe Developer Kit, developers write their own CodeSafe Apps, cross-compile them, and package them to run on the HSM. While on the HSM, the CodeSafe App is segregated from the actual keys loaded onto the module, including the keys the App uses. This means that CodeSafe can be used without affecting the FIPS 140 validation of the module it runs on.
Example Use Cases For CodeSafe
Secure Manufacturing/IoT
Use CodeSafe as a secure root of trust and policy engine for manufacturing equipment and IoT devices, where firmware signing, device identity, and command authorization must remain safe even in a hostile factory or edge environment.
Cryptocurrency
Run wallet logic and transaction-approval flows within CodeSafe so that private keys and signing policies for digital assets never leave a tamper resistant environment.
Tokenization
Use CodeSafe to implement the tokenization engine –PAN→token mapping, detokenization rules, and vault access – entirely inside the HSM.
Financial Services
Beyond basic key storage and protection, use CodeSafe to enforce complex financial controls – such as regulatory checks, per product rules, and conditional signing – at the cryptographic boundary.
Protecting Sensitive Business Logic
Move critical decision logic (risk checks, limits, foureyes rules, approval workflows) into a CodeSafe trusted agent so even a compromised OS or rogue admin cannot bypass it.
Emerging Cryptographic Algorithms
Use CodeSafe to implement, test, and run new or nonstandard cryptographic algorithms (for example, PQC, national algorithms, proprietary schemes) inside the HSM boundary, before or instead of native firmware support.
CodeSafe Benefits
Security-sensitive Apps Protection
CodeSafe can be used to execute any type of application within the tamper-resistant nShield HSM.
Attack and Malware Defense
Because sensitive applications execute within the HSM’s secure boundary, they are safeguarded from internal and external threats.
Strong Access Control
CodeSafe creates a strong binding between cryptographic processes and the keys they use.
Entrust nShield Post-Quantum Cryptography Option Pack
- Leverages CodeSafe developer toolkit
- Evolve your organization with emerging PQ standards and align crypto security requirements with organizational post-quantum strategy
- Use for emerging PQC algorithms not currently supported natively in nShield firmware
Tech Specs
CodeSafe encompasses two components: a developer toolkit to compile applications and prepare them to be imported into the HSMs, and a run time environment that protects the application when in use. CodeSafe not only carves out a segregated and protected space for security-sensitive applications to be executed, but it also creates a strong binding between the cryptographic processes and the keys they use.
nShield HSM Compatibility
CodeSafe is available with all FIPS 140-3 Level 3 certified PCIe nShield 5s and network-attached nShield 5c HSMs.
Operating System Support
CodeSafe development supported on Windows and RHEL Operating Systems
HSM Development Environment
CodeSafe is compatible with the following programming applications:
- C programming languages for embedded applications
- C and Java on host-server
What our customers are saying...
We have a long history together and we’re extremely comfortable continuing to rely on Entrust solutions for the core of our business. We have used Entrust HSMs for five years and they have always been exceptionally reliable. We’ve layered a lot of code on top of the HSM; it delivers the performance we need and has proven to be a rock-solid foundation.
As a global payment solutions and commerce enablement leader, Verifone’s strategy is to develop and deploy “best in class” payment solutions and services that meet or exceed global security standards and help our clients securely accept electronic payments across all channels of commerce. We selected Entrust HSMs to provide robust security, unmatched performance, and superior scalability across our payment security platforms…
The Entrust nShield sales team provided excellent local and remote support during this evaluation period and was invaluable to the process. The excellent depth, breadth, and quality of the product documentation gave us confidence that the solution was well thought-out and supported.
Entrust provided the expertise needed to design and implement a tailored, secure VoIP solution.