Entrust nShield HSMs | On Another Level

Unlimited Scalability

Entrust’s unique Security World architecture provides support for unlimited key storage, unlike some alternative HSMs, while being less cumbersome to deploy. Using the Entrust Security World architecture, organizations can centrally manage all the nShield HSMs they have in their environment. Whether they’re running two or many nShield HSMs, teams can establish unified policy and operational administration. Security World offers rapid scalability by migrating the master key to the new nShield HSM, making it easy to add HSMs to an existing group. This allows an organization to boost performance, expand load balancing and failover, or increase key processing capacity.

Field-Upgradable, Optimized Performance

Entrust nShield HSMs allow customers to unlock increased performance easily. The nShield 5 HSM models are up to 40% faster than previous versions, supporting the accelerating demand from applications requiring the highest levels of data security.

Custom API

For optimal fine-grained control when integrating with nShield HSMs, the native nCore API offers several advantages over the popular PKCS#11 API, particularly in terms of handling parallel requests and managing a large number of keys more efficiently. The nCore API is designed to provide a more streamlined and efficient interface for interacting with nShield HSMs, obtaining the maximum capabilities of each cryptographic device type.

Flexibility

Entrust Security World equips teams with the flexibility they need to align their HSM operations with their organization’s specific environment, operational approaches, and security needs. Depending on their requirements, security teams can manage key authorization in a manual or fully automated fashion. For example, in transactional environments, operations can be pre-authorized and performed on demand, while highly sensitive tasks can require the manual intervention of multiple administrators.

Future-Proof HSMs

Crypto-agility, the capability of organizations to seamlessly adopt new, emerging encryption methods, has never been more important. The first wave of post-quantum cryptographic algorithms have been standardized, and additional algorithms continue to be introduced. We already know of NIST’s plan to deprecate the classical algorithms such as RSA and ECDSA by 2030 and disallow them by 2035.

Our nShield 5 HSMs offer crypto-agility out of the box with their security processor, a field-programmable gate array (FPGA) that can be readily reprogrammed via firmware updates in the field. This reduces costly and time-consuming hardware refreshes and increases resilience against quantum computers that may compromise the encryption techniques we rely on today. As we prepare for the coming challenge of quantum computers, HSMs are essential to the security and trust of IT systems, the cloud, and the internet. Entrust nShield HSMs are also designed for multi-tenancy (future update) and are field-upgradable via a simple firmware update.

Backups Made Easy

We recognize the increasing importance of simplified, automated backup and recovery. Some HSMs on the market require backup HSMs and manual, labor-intensive HSM cloning efforts. Our Security World architecture enables simple, automated backups of HSM files. With Security World, teams can back up HSM files using existing file management processes, and they can securely manage keys in the more convenient application layer, rather than the HSM layer.

High Assurance HSMs

By achieving FIPS 140-3 Level 3 validation, Entrust becomes one of the few vendors that can meet the very stringent data security requirements of governments, financial institutions, and enterprises globally. The nShield 5 HSMs have also achieved Common Criteria EAL4+ certification, meeting the latest industry standards for HSMs to comply with the European Union’s strict eIDAS requirements. Together with the FIPS 140-3 certification, the Entrust nShield 5 HSMs are positioned to meet organizations’ increasing need for global regulatory compliance support.

Proven Solution

Entrust nShield HSMs have been market leaders for over 25+ years with over 100,000 units shipped. Our HSMs continually innovate and evolve to solve market problems and support emerging industry trends. Combined with world class 24/7 support, the nShield HSM can support nearly any business application.

Over 150 Entrust nShield HSM Alliance Partner Integrations:

Entrust nShield HSMs provide high assurance security for a broad range of common use cases, such as PKI, privileged access management, database security, and code signing. With more than 150 alliance partners and validated partner integrations available to support a wide range of applications, our hardware security modules are uniquely built to mitigate risk and secure your critical business applications across multiple use cases.

CodeSafe

Entrust CodeSafe software is an innovative powerful capability that enables application code to run within the protected confines of a tamper-resistant nShield HSM without compromising the nShield HSM's FIPS or Common Criteria certification, unlike other HSM vendors. This capability protects security-sensitive cryptographic processes or proprietary business logic from the otherwise threatened application server environments and creates a trusted space within the HSM alongside associated key material. For example, when sensitive credit card numbers need to be obfuscated to meet payment card compliance requirements, proprietary cryptographic techniques like format preserving encryption (FPE) are used. To protect this sensitive business logic, it is run inside the FIPS physical boundary of the HSM, adding an extra layer of assurance. 

Entrust HSM as a Service

Entrust offers a range of flexible HSM deployment models to support your unique environment and applications. Our Entrust HSMaaS solution, nShield as a Service, is a subscription-based solution for generating, accessing, and protecting cryptographic key material separately from sensitive data. This delivers the same functionality as on-premises HSMs and the benefits of a cloud service deployment, without the need to host and maintain the appliances. While customers using nShield as a Service access dedicated HSM hardware in a secure data center, other cloud-based HSM offerings may not provide dedicated hardware. This same solution can be deployed as a disaster recovery solution and is supported by Entrust’s world-class, 24/7 customer support team.

Remote Configuration & Management Capability

nShield HSMs often run in physically secure, lights-out data centers in locations far from the people who manage them. nShield Remote Administration lets you manage your HSMs – including adding applications, upgrading firmware, and checking status – wherever and whenever you choose. This means less travel to data centers, helping you cut costs and optimize your resources.

Remote Administration lets you perform the vast majority of typical HSM functions including:

• Configuring new nShield HSMs
• Creating new nShield Security Worlds - Entrust’s unique key management architecture - and enrolling new HSMs into existing Security Worlds
• Upgrading firmware and image files for maintenance and feature updates
• Monitoring and changing HSM status and rebooting as required

Each nShield HSM and remote smart card are uniquely warranted by injecting a key at the point of manufacture, meaning the trust between these two components can be readily established. Unlike some other vendors, no pairing ceremony is required between Entrust HSMs and remote devices prior to deployment.

nShield Software Option Packs

Entrust nShield Software Option Packs are easy to set up and deploy, delivering everything you need to integrate high assurance nShield HSMs into your preferred environment. The following Software Option Packs are available for nShield HSMs:

• Web Services: Cloud-friendly, REST-like interface for high assurance nShield HSMs
• Containerized Applications: Containerized applications integrated with high-assurance FIPS certified nShield HSMs
• Time Stamping: Secure, accurate time stamping ensures the integrity and traceability of digital records, code signing, transactions, logs, and more
• Cloud Integration: BYOK functionality to use your nShield HSMs to generate, store, and manage the keys you count on to secure your sensitive cloud-hosted applications
• Database Security: Integrate with Microsoft SQL Server using Microsoft’s Extensible Key Management (EKM) API

Seamless Integration With KeyControl

Entrust nShield HSMs seamlessly integrate with Entrust KeyControl, our robust key lifecycle management system. Built with a decentralized vault-based architecture, KeyControl provides centralized visibility and compliance management, helping to ensure key management practices align with stringent regulatory and corporate requirements. Keys and secrets are geo-located and managed in accordance with data sovereignty mandates.