Software Option Packs
Entrust nShield Software Option Packs are easy to set up and deploy, delivering everything you need to integrate high assurance nShield HSMs into your preferred environment.
Web Services
Cloud-friendly, REST-like interface for high assurance nShield HSMs.
Containerized Applications
Containerized applications integrated with high assurance FIPS certified nShield HSMs.
Time Stamping
Secure, accurate time stamping ensures the integrity and traceability of digital records, code signing, transactions, logs, and more.
Cloud Integration
Use your nShield HSMs to generate, store, and manage the keys you count on to secure your sensitive cloud-hosted applications.
Database Security
Integrate with Microsoft SQL Server using Microsoft’s Extensible Key Management (EKM) API.
Post-Quantum
Enable post-quantum cryptographic applications for nShield HSMs.
Web Services Option Pack (WSOP)
The nShield WSOP provides a REST-like API between applications requiring cryptographic key and data protection services and FIPS-certified nShield HSMs. nShield HSMs perform a variety of cryptographic functions, including encryption, signing, random number generation, and key generation.
Benefits include:
Tech Specs
nShield Compatibility
- Compatible with all current nShield models
- Must be installed onto a host running a supported version of the Linux OS, Windows Server, or Windows OS, and have the nShield Security World software installed
- Supports Operator Card Set & Softcard protected keys
- Compatible with the nShield Container Option Pack, allowing WSOP instantiations to be containerized
API Compatibility
- nShield HSMs can support applications using the Web Services API alongside applications using other supported APIs (e.g., PKCS#11, Java, CNG, etc.)
nShield Container Option Pack (nCOP)
Containerized applications can be hard to integrate with high assurance hardware security modules. When the time from staging to production is critical, you need a proven deployment model and scripts that reduce the overall development cycle. nCOP simplifies the process of building HSM support into containerized solutions and provides a template deployment model without the worry of HSM integration.
Benefits include:
Tech Specs
Operating System Support
- Linux distributions only
Supported HSMs
- Compatible with nShield Connect XC and nShield 5c HSMs
- Compatible with nShield as a Service for cloud-hosted HSM deployments
Scalability and Licensing
- nCOP has no enforced limitation on the number of hardserver or application containers, and can work with any number of container hosts (physical or virtualized server instances)
- When used alongside nShield Connect XC or nShield 5c, client licenses will be required depending on the scale of deployment. The option pack includes a multiplier for calculating the number of client licenses required based on the maximum number of running application containers to be deployed. Refer to the guidelines below for the number of client licenses required for different sized deployments
Compatibility
- Certified integration with Red Hat OpenShift container platform
Licensing Options
Client Licenses per HSM | Maximum Container Hosts |
Maximum Application Containers |
---|---|---|
5 | 5 | 50 |
10 | 10 | 100 |
15 | 15 | 150 |
20 | 20 | 200 |
>25 | >25 | >2501 |
Note 1: Recommend purchase of enterprise client license
nShield Time Stamping Option Pack
Digital time stamping is integral to an organization’s ability to verify data and code integrity, generate audit trails, and enforce non-repudiation for electronic signatures. Entrust delivers a secure, high assurance time-stamping solution protected by nShield Solo XC HSMs. This time stamping solution automates records processing and supports a diverse array of applications.
Benefits include:
Tech Specs
Time Stamping API
- We offer a software API that enables developers to build applications requesting time stamps from a server equipped with nShield Solo XC HSM and the Time Stamping Option Pack
Compatibility
- Compatible with Microsoft Windows servers
Centralized Time Source
- Depending on customer requirements, the Time Stamping Option Pack can generate time stamps based on a centralized time source or the UTC (Coordinated Universal Time) standard
nShield Cloud Integration Option Pack (CIOP)
The nShield CIOP allows cloud service user to generate keys in their own environment and export them for use in the cloud. Users can be confident that their keys have been generated securely using a strong entropy source, and that long-term storage of their keys is protected by a FIPS-certified HSM. Supported cloud services include Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce.
Benefits include:
Tech Specs
Compatibility and Requirements
- Supported on all current nShield HSM models
- Azure BYOK: Requires nShield Security World Software v12.60 and firmware v12.60 or later
- AWS and Google Compute Engine: Requires nShield Security World software v12.40 or later
- Salesforce: Requires nShield Security World software v12.70 and firmware v12.70 or later
Platform Support
This release has been tested for compatibility on a range of platforms, including:
- Microsoft Windows 11 x64
- Microsoft Windows Server 2022 x64
- Microsoft Windows Server 2022 Core x64
- Red Hat Enterprise Linux 8 x64
- Red Hat Enterprise Linux 9 x64
- Oracle Enterprise Linux 8 x64
nShield Database Security Option Pack
The nShield Database Security Option Pack enables seamless integration of nShield HSMs with Microsoft SQL Server. Encrypting data in your database protects it, but the encryption keys used to unlock the data must also be protected. Using an HSM safeguards encryption keys by storing them separately from the data on a secure, trusted platform.
Benefits include:
Tech Specs
SQL EKM Provider Capability
- The SQL EKM provider has been tested to support the Enterprise Editions of Microsoft SQL Server 2019, Microsoft SQL Server 2017, and Microsoft SQL Server 2016
Supported Platforms
- Microsoft Windows Server: 2019 R2 Standard (64-bit configuration) and 2016 (64-bit configuration)
Supported Security World Software and nShield HSMs
- The Database Security Option Pack for SQL Server is fully compatible with v12.40.2 or higher of the Security World Software and all current PCIe and network-attached HSMs
Supported Types of Database Encryption
From a security perspective, Microsoft SQL Server supports the use of cryptographic keys to protect its databases. These encryption keys can be used to perform two levels of encryption:
- Transparent Data Encryption (TDE): Encrypts entire databases without changing existing queries or applications. When SQL Server loads a TDE-encrypted database into memory from disk storage, it automatically decrypts it. This enables clients to query the database within the server environment without manual decryption. The database is re-encrypted when saved to disk storage. When using TDE, data is unprotected by encryption while in memory, and TDE supports one encryption key per database at a time.
- Cell-Level Encryption (CLE): Requires specifying data and encryption key(s) for encryption. CLE uses one or more keys to encrypt individual cells or columns, enabling fine-grained access policies for sensitive database data. Only specified data is encrypted: other data remains unencrypted. This minimizes exposure in database servers and client applications. CLE can also be applied to tables encrypted with TDE. Note: CLE data is decrypted in memory as needed, and different encryption keys can encrypt separate data within the same table.
Supported Deployment Configurations
- Stand-alone service
- Database failover clusters using either nShield Solo or nShield Connect
nShield Post-Quantum Option Pack
The nShield Post-Quantum Option Pack leverages the Entrust CodeSafe SDK and the liboqs open source library to provide quantum-resistant cryptographic algorithms to customers.
Benefits include:
Getting Started
Requirements
- FIPS Level 3 nShield HSM
- CodeSafe developer toolkit
- CodeSafe activation license
Learn more about Codesafe.