Skip to main content
purple hex pattern
nshield 5c with fips certification product image

Entrust nShield 5c HSMs

nShield 5c HSMs are security appliances that deliver cryptographic services to applications across the network, in the cloud, and in hybrid environments. The hardened, tamper-resistant, FIPS 140-3 level 3 certified* platforms perform such functions as encryption, digital signing, and key generation and protection. With their comprehensive capabilities, flexible hybrid deployments, quantum crypto-agility, and 100% compatibility with existing nShield HSM deployments and APIs, these HSMs can support an extensive range of applications, including certificate authorities, code signing, and more.

*FIPS 140-3 Validated, Certificate #4745

High-performance, scalable HSMs that save you time and money

The new nShield 5c models offer enterprises a reduction in total cost of ownership, eliminating costly repeat trips to the data center and reducing the overhead of managing and configuring HSM estates. Features include:

  • Centralized, remote visualization and management console supporting HSM administration and Security World management
  • A serial console supporting provider/tenant deployment models through strong role separation, delineating tasks such as changing network settings from controlling cryptographic actions
  • Remote presentation of physical tokens to authorize administration tasks and cryptographic key usage
  • Seamless interoperation with all other variants and versions of the nShield HSM family

These features reduce the demands on highly specialized and trained resources, provide enterprises with efficiency gains, and ensure control over the HSMs resides in the hands of the security professionals.

Next-Generation HSMs

nShield 5c Benefits

platform icon

Powerful Architecture

Build and grow your HSM estate using Security World, Entrust's unified ecosystem that delivers scalability, load balancing, seamless failover, and disaster recovery.

tachometer showing speed icon

Faster Data Processing

Get some of the highest cryptographic transaction rates in the industry. Ideal for environments where throughput is critical.

shield icon with four quadrants of purple and gray

Protection of sensitive business and application logic

Execute code within nShield boundaries, protecting your applications and the data they process.

Tech Specs

Certified Hardware Solutions

Entrust nShield HSMs have earned a broad set of certifications. These certifications help our customers to demonstrate compliance while also helping to give them the assurance that they meet stringent industry standards.

Security Compliance

  • FIPS 140-3 Level 3 
  • eIDAS and Common Criteria EAL4 + AVA_VAN.5 and ALC_FLR.2 certification against EN 419 221-5 Protection Profile, under the Dutch NSCIB scheme 
    • Can form the basis of an EN 419 241-2 certified remote signing system for eIDAS
    • Compliant with BSI AIS 31 for true and deterministic random number generation

Safety and Environmental Standards Compliance

  • UL, CE, FCC, UKCA, RCM, Canada ICES, RoHS, WEEE, REACH

High Transaction Rates

nShield HSMs boast high elliptic curve cryptography (ECC) and RSA transaction rates.

nShield 5c ModelsBaseMidHigh
RSA signing performance (tps) for NIST recommended key lengths
2048 bit6703,94913,614
4096 bit1358142,200
8192 bit19115309
ECC prime curve signing performance (tps) for NIST recommended key lengths
256 bit2,0857,55321,826
521 bit1,0105,97716,164
Key generation (keys/sec)
RSA 2048 bit72023
ECDSA P-256 bit1,0403,5803,494
ECDSA P-521 bit5182,4802,724
Key agreement performance (transactions/sec)
ECDH P-256 bit2,0857,55021,436
Client licenses
Included333
Maximum1020unlimited1

1Requires enterprise client license. 

Supported Cryptographic Algorithms

  • Full NIST Suite B implementation
  • Asymmetric algorithms: RSA, Diffie-Hellman, ECMQV, DSA, El- Gamal, KCDSA, ECDSA (including NIST, Brainpool & secp256k1 curves), ECDH, Edwards (Ed25519, Ed25519ph)
  • Symmetric algorithms: AES, AES-GCM, Arcfour, ARIA, Camellia, MD5 HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, SHA-224 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC, Tiger HMAC, 3DES
  • Hash/message digest: MD5, SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160, RIPEMD160, SHA-3 (224, 256, 384, 512 bit)
  • Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs
  • Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11, and nCore APIs
  • TUAK & MILENAGE algorithm support for mutual authentication and key generation (3GPP)
  • NIST short-listed post-quantum cryptographic algorithms supported using the nShield Post Quantum SDK with CodeSafe

nShield HSMs offer support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use South Korean algorithms, optional activation licenses are needed.

Supported Platforms

Windows and Linux operating systems including distributions from Red Hat, SUSE, and major cloud service providers running as virtual machines or in containers.

Reliability

Calculated at 25°C operating temperature using Telcordia SR-332 “Reliability Prediction Procedure for Electronic Equipment" MTBF Standard

  • nShield 5c HSM: 107,845 hours

Options and Accessories

Performance Ratings and Options

To meet the performance needs of your application, Entrust provides a variety of nShield 5c models as shown in the Technical Specifications tab. You can select among the performance models shown, and can also purchase in-field upgrades on nShield 5 HSM models from lower performance models to higher models.

Client Licenses

nShield 5c HSMs ship with three client licenses, each allowing a connection to an IP address. Additional licenses are available for purchase. The maximum number of client licenses supported varies by nShield 5c model as shown in the table below.

Max # client licenses per nShield 5c Model

  • Base: 10 licenses
  • Mid: 20 licenses
  • High: Unlimited*

Note* requires Enterprise Client License activation

Software Options Pack

Entrust offer a range of software option packs which can be used in conjunction with your nShield HSMs.

Learn More

nShield Monitor

nShield Monitor is a monitoring platform that provides 24x7 visibility into the status of nShield HSMs. With this solution, security teams can efficiently inspect HSMs and find out immediately if any potential security, configuration or utilization issue may compromise their mission-critical infrastructure.

Remote Administration Kits

nShield Remote Administration lets operators manage distributed nShield HSMs—including adding applications, upgrading firmware, checking status, re-booting and more—from their office locations, reducing travel and saving money. Remote Administration Kits contain the hardware and software needed to set up and use the tool.

Cloud Disaster Recovery

Increase redundancy and reliability of on-premises deployments.

  • Subscription-based service
  • Adds off-site HSM resources
  • Convenient and cost-effective

CodeSafe

CodeSafe is a powerful, secure environment that lets you execute applications within the secure boundaries of nShield HSMs. Applications include cryptography and high value business logic associated with banking, smart metering, authentication agents, digital signature agents and custom encryption processes. CodeSafe is available with FIPS Level 3 certified nShield HSMs

CipherTools

The CipherTools is a set of tutorials, reference documentation, sample programs and additional libraries. With this toolkit, developers can take full advantage of the advanced integration capabilities of nShield HSMs. In addition to offering support for standard APIs, the toolkit enables you to run custom applications with nShield HSMs. CipherTools Developer Toolkit is included free of charge in the standard Security World software ISO/DVD.

KCDSA Activation

With the KCDSA activation license, you can use the Korean Certificate-based Digital Signature Algorithm (KCSDA) as well as HAS-160, SEED, and ARIA algorithms on nShield HSMs.

Slide Rails

Entrust offers optional slide rails that let users mount nShield 5c in a 19" rack without a shelf. Entrust recommends that customers use these slide rails exclusively as parts from other manufacturers may not be compatible.

Keyboard

Many functions of nShield 5c HSMs can easily be executed using the touch wheel at the front of the unit. Entrust offers an optional USB keyboard for even greater ease of use.

Field Replaceable Parts

nShield 5c features parts that operators can replace in the field, with minimal downtime. These parts include dual, hot-swap power supplies and field-replaceable fan tray (requires nShield 5c to be put into standby).

Related Products