
Entrust nShield 5c
Deliver cryptographic key services to applications with Entrust crypto-agile, highly scalable, next-generation hardware security modules (HSMs).

Entrust nShield 5c HSM
nShield 5c HSMs are security appliances that deliver cryptographic services to applications across the network, in the cloud, and in hybrid environments. The hardened, tamper-resistant, FIPS 140-3 level 3 certified* platforms perform such functions as encryption, digital signing, and key generation and protection. With their comprehensive capabilities, flexible hybrid deployments, quantum crypto-agility, and 100% compatibility with existing nShield HSM deployments and APIs, these HSMs can support an extensive range of applications, including certificate authorities, code signing, and more.
*FIPS 140-3 Validated, Certificate #4745
High-performance, scalable HSMs that save you time and money
The new nShield 5c models offer enterprises a reduction in total cost of ownership, eliminating costly repeat trips to the data center and reducing the overhead of managing and configuring HSM estates. Features include:
- Centralized, remote visualization and management console supporting HSM administration and Security World management
- A serial console supporting provider/tenant deployment models through strong role separation, delineating tasks such as changing network settings from controlling cryptographic actions
- Remote presentation of physical tokens to authorize administration tasks and cryptographic key usage
- Seamless interoperation with all other variants and versions of the nShield HSM family
These features reduce the demands on highly specialized and trained resources, provide enterprises with efficiency gains, and ensure control over the HSMs resides in the hands of the security professionals.
nShield 5c Benefits
Powerful Architecture
Build and grow your HSM estate using Security World, Entrust's unified ecosystem that delivers scalability, load balancing, seamless failover, and disaster recovery.
Faster Data Processing
Get some of the highest cryptographic transaction rates in the industry. Ideal for environments where throughput is critical.
Protection of sensitive business and application logic
Execute code within nShield boundaries, protecting your applications and the data they process.
Tech Specs
Certified Hardware Solutions
Entrust nShield HSMs have earned a broad set of certifications. These certifications help our customers to demonstrate compliance while also helping to give them the assurance that they meet stringent industry standards.
Security Compliance
- FIPS 140-3 Level 3
- eIDAS and Common Criteria EAL4 + AVA_VAN.5 and ALC_FLR.2 certification against EN 419 221-5 Protection Profile, under the Dutch NSCIB scheme
- Can form the basis of an EN 419 241-2 certified remote signing system for eIDAS
- Compliant with BSI AIS 31 for true and deterministic random number generation
Safety and Environmental Standards Compliance
- UL, CE, FCC, UKCA, RCM, Canada ICES, RoHS, WEEE, REACH
High Transaction Rates
nShield HSMs boast high elliptic curve cryptography (ECC) and RSA transaction rates.
nShield 5c Models | Base | Mid | High |
---|---|---|---|
RSA signing performance (tps) for NIST recommended key lengths | |||
2048 bit | 670 | 3,949 | 13,614 |
4096 bit | 135 | 814 | 2,200 |
8192 bit | 19 | 115 | 309 |
ECC prime curve signing performance (tps) for NIST recommended key lengths | |||
256 bit | 2,085 | 7,553 | 21,826 |
521 bit | 1,010 | 5,977 | 16,164 |
Key generation (keys/sec) | |||
RSA 2048 bit | 7 | 20 | 23 |
ECDSA P-256 bit | 1,040 | 3,580 | 3,494 |
ECDSA P-521 bit | 518 | 2,480 | 2,724 |
Key agreement performance (transactions/sec) | |||
ECDH P-256 bit | 2,085 | 7,550 | 21,436 |
Client licenses | |||
Included | 3 | 3 | 3 |
Maximum | 10 | 20 | unlimited1 |
1Requires enterprise client license.
Supported Cryptographic Algorithms
- Full NIST Suite B implementation
- Asymmetric algorithms: RSA, Diffie-Hellman, ECMQV, DSA, El- Gamal, KCDSA, ECDSA (including NIST, Brainpool & secp256k1 curves), ECDH, Edwards (Ed25519, Ed25519ph)
- Symmetric algorithms: AES, AES-GCM, Arcfour, ARIA, Camellia, MD5 HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, SHA-224 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC, Tiger HMAC, 3DES
- Hash/message digest: MD5, SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160, RIPEMD160, SHA-3 (224, 256, 384, 512 bit)
- Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs
- Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11, and nCore APIs
- TUAK & MILENAGE algorithm support for mutual authentication and key generation (3GPP)
- NIST short-listed post-quantum cryptographic algorithms supported using the nShield Post Quantum SDK with CodeSafe
nShield HSMs offer support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use South Korean algorithms, optional activation licenses are needed.
Supported Platforms
Windows and Linux operating systems including distributions from Red Hat, SUSE, and major cloud service providers running as virtual machines or in containers.
Reliability
Calculated at 25°C operating temperature using Telcordia SR-332 “Reliability Prediction Procedure for Electronic Equipment" MTBF Standard
- nShield 5c HSM: 107,845 hours
Options and Accessories
Performance Ratings and Options
To meet the performance needs of your application, Entrust provides a variety of nShield 5c models as shown in the Technical Specifications tab. You can select among the performance models shown, and can also purchase in-field upgrades on nShield 5 HSM models from lower performance models to higher models.
Client Licenses
nShield 5c HSMs ship with three client licenses, each allowing a connection to an IP address. Additional licenses are available for purchase. The maximum number of client licenses supported varies by nShield 5c model as shown in the table below.
Max # client licenses per nShield 5c Model
- Base: 10 licenses
- Mid: 20 licenses
- High: Unlimited*
Note* requires Enterprise Client License activation
Software Options Pack
Entrust offer a range of software option packs which can be used in conjunction with your nShield HSMs.
nShield Monitoring
The nShield HSM monitoring platform enables operations teams to gain 24/7 visibility into the status of all their nShield HSMs, including those residing across distributed data centers. With this solution, security teams can efficiently inspect HSMs and find out immediately if any potential security, configuration, or utilization issue may compromise their mission-critical infrastructure.
Remote Administration Kits
nShield Remote Administration lets operators manage distributed nShield HSMs—including adding applications, upgrading firmware, checking status, re-booting and more—from their office locations, reducing travel and saving money. Remote Administration Kits contain the hardware and software needed to set up and use the tool.
Cloud Disaster Recovery
Increase redundancy and reliability of on-premises deployments.
- Subscription-based service
- Adds off-site HSM resources
- Convenient and cost-effective
CodeSafe
CodeSafe is a powerful, secure environment that lets you execute applications within the secure boundaries of nShield HSMs. Applications include cryptography and high value business logic associated with banking, smart metering, authentication agents, digital signature agents and custom encryption processes. CodeSafe is available with FIPS Level 3 certified nShield HSMs
CipherTools
The CipherTools is a set of tutorials, reference documentation, sample programs and additional libraries. With this toolkit, developers can take full advantage of the advanced integration capabilities of nShield HSMs. In addition to offering support for standard APIs, the toolkit enables you to run custom applications with nShield HSMs. CipherTools Developer Toolkit is included free of charge in the standard Security World software ISO/DVD.
KCDSA Activation
With the KCDSA activation license, you can use the Korean Certificate-based Digital Signature Algorithm (KCSDA) as well as HAS-160, SEED, and ARIA algorithms on nShield HSMs.
Slide Rails
Entrust offers optional slide rails that let users mount nShield 5c in a 19" rack without a shelf. Entrust recommends that customers use these slide rails exclusively as parts from other manufacturers may not be compatible.
Keyboard
Many functions of nShield 5c HSMs can easily be executed using the touch wheel at the front of the unit. Entrust offers an optional USB keyboard for even greater ease of use.
Field Replaceable Parts
nShield 5c features parts that operators can replace in the field, with minimal downtime. These parts include dual, hot-swap power supplies and field-replaceable fan tray (requires nShield 5c to be put into standby).
Frequently Asked Questions
What Is FIPS Compliance?
Maintained by the National Institute of Standards and Technology (NIST), Federal Information Processing Standard (FIPS) 140 is a set of security requirements for hardware security modules, encryption algorithms, and digital signatures. A FIPS HSM is a specialized cryptographic module that has certified FIPS compliance. With this certificate, the device can securely perform the following functions:
- Encryption and decryption
- Digital signature generation and verification
- Key management and storage
- Certificate management
nShield 5c HSMs are FIPS 140-3 compliant, meaning they adhere to stringent cryptographic and physical security protocols to protect sensitive information and key material.
What is the nShield 5c HSM?
The nShield 5c is a high-assurance cryptographic module. As a hardware device, it can perform a wide range of cryptographic operations, including key generation, storage, and management. The nShield 5c offers robust logical and physical security, tamper resistance, and compliance with standards like FIPS 140-3, ensuring it can protect sensitive data and meet your strict security requirements.
How Can I Use a FIPS HSM?
nShield HSMs deliver high-assurance data security and cryptographic protection for a broad range of use cases, including:
- Cloud computing and container security
- Key management
- Digital signing
- Code signing
- Public key infrastructure and certificate management
- Identity authentication
- Payment security
- Encryption, database security, and tokenization
- Privileged access and secrets management
Related Products

Related Resources
Learn more about how a FIPS HSM like the nShield 5c can help protect your most mission-critical operations.