Skip to main content
purple hex pattern

Web Services

Cloud-friendly, REST-like interface for high assurance nShield HSMs.

faded gray hex background

Containerized Applications

Containerized applications integrated with high assurance FIPS certified nShield HSMs.

faded gray hex background

Time Stamping

Secure, accurate time stamping ensures the integrity and traceability of digital records, code signing, transactions, logs, and more.

faded gray hex background

Cloud Integration

Use your nShield HSMs to generate, store, and manage the keys you count on to secure your sensitive cloud-hosted applications.

faded gray hex background

Database Security

Integrate with Microsoft SQL Server using Microsoft’s Extensible Key Management (EKM) API.

faded gray hex background

Post-Quantum

Enable post-quantum cryptographic applications for nShield HSMs.

faded gray hex background

Web Services Option Pack (WSOP)

 

The nShield WSOP provides a REST-like API between applications requiring cryptographic key and data protection services and FIPS-certified nShield HSMs. nShield HSMs perform a variety of cryptographic functions, including encryption, signing, random number generation, and key generation.

Benefits include:

 

plum checkmark icon

Cryptographic Services Access

plum checkmark icon

Streamlined Development Process

plum checkmark icon

No Client-Side Integration

plum checkmark icon

Enabled Load Balancing

man with glasses working on a computer
Web Services Option Pack

Tech Specs

nShield Compatibility

  • Compatible with all current nShield models 
  • Must be installed onto a host running a supported version of the Linux OS, Windows Server, or Windows OS, and have the nShield Security World software installed 
  • Supports Operator Card Set & Softcard protected keys 
  • Compatible with the nShield Container Option Pack, allowing WSOP instantiations to be containerized

API Compatibility

  • nShield HSMs can support applications using the Web Services API alongside applications using other supported APIs (e.g., PKCS#11, Java, CNG, etc.)
Man and woman working on computers

nShield Container Option Pack (nCOP)

 

Containerized applications can be hard to integrate with high assurance hardware security modules. When the time from staging to production is critical, you need a proven deployment model and scripts that reduce the overall development cycle. nCOP simplifies the process of building HSM support into containerized solutions and provides a template deployment model without the worry of HSM integration.

Benefits include:

 

plum checkmark icon

Seamless Integration

plum checkmark icon

High Assurance Protection

plum checkmark icon

Flexible Deployment

nShield Container Option Pack

Tech Specs

Operating System Support

  • Linux distributions only

Supported HSMs

  • Compatible with nShield Connect XC and nShield 5c HSMs
  • Compatible with nShield as a Service for cloud-hosted HSM deployments

Scalability and Licensing

  • nCOP has no enforced limitation on the number of hardserver or application containers, and can work with any number of container hosts (physical or virtualized server instances)
  • When used alongside nShield Connect XC or nShield 5c, client licenses will be required depending on the scale of deployment. The option pack includes a multiplier for calculating the number of client licenses required based on the maximum number of running application containers to be deployed. Refer to the guidelines below for the number of client licenses required for different sized deployments

Compatibility

  • Certified integration with Red Hat OpenShift container platform

Licensing Options

Client Licenses per HSM Maximum
Container Hosts
Maximum
Application Containers
5 5 50
10 10 100
15 15 150
20 20 200
>25 >25 >2501

 

Note 1: Recommend purchase of enterprise client license

 

nShield Time Stamping Option Pack

 

Digital time stamping is integral to an organization’s ability to verify data and code integrity, generate audit trails, and enforce non-repudiation for electronic signatures. Entrust delivers a secure, high assurance time-stamping solution protected by nShield Solo XC HSMs. This time stamping solution automates records processing and supports a diverse array of applications.

Benefits include: 

 

plum checkmark icon

Maximum Trust and Confidence

plum checkmark icon

Increased Efficiency

plum checkmark icon

Application Support

Man looking at laptop screen
Time Stamping Option Pack

Tech Specs

Time Stamping API

  • We offer a software API that enables developers to build applications requesting time stamps from a server equipped with nShield Solo XC HSM and the Time Stamping Option Pack

Compatibility

  • Compatible with Microsoft Windows servers

Centralized Time Source

  • Depending on customer requirements, the Time Stamping Option Pack can generate time stamps based on a centralized time source or the UTC (Coordinated Universal Time) standard
Man working on tablet

nShield Cloud Integration Option Pack (CIOP)

 

The nShield CIOP allows cloud service user to generate keys in their own environment and export them for use in the cloud. Users can be confident that their keys have been generated securely using a strong entropy source, and that long-term storage of their keys is protected by a FIPS-certified HSM. Supported cloud services include Amazon Web Services (AWS), Google Compute Engine, Microsoft Azure, and Salesforce.

Benefits include: 

 

plum checkmark icon

Secure Cloud Integration

plum checkmark icon

Key Availability Control

plum checkmark icon

Cloud Provider of Your Choice

Cloud Integration Option Pack

Tech Specs

Compatibility and Requirements

  • Supported on all current nShield HSM models 
  • Azure BYOK: Requires nShield Security World Software v12.60 and firmware v12.60 or later 
  • AWS and Google Compute Engine: Requires nShield Security World software v12.40 or later 
  • Salesforce: Requires nShield Security World software v12.70 and firmware v12.70 or later

Platform Support

This release has been tested for compatibility on a range of platforms, including: 

  • Microsoft Windows 11 x64 
  • Microsoft Windows Server 2022 x64
  • Microsoft Windows Server 2022 Core x64 
  • Red Hat Enterprise Linux 8 x64
  • Red Hat Enterprise Linux 9 x64
  • Oracle Enterprise Linux 8 x64

nShield Database Security Option Pack

 

The nShield Database Security Option Pack enables seamless integration of nShield HSMs with Microsoft SQL Server. Encrypting data in your database protects it, but the encryption keys used to unlock the data must also be protected. Using an HSM safeguards encryption keys by storing them separately from the data on a secure, trusted platform.

Benefits include: 

 

plum checkmark icon

Hardware Key Protection

plum checkmark icon

User and Role Enforcement

plum checkmark icon

Tighter Key Control

plum checkmark icon

Flexible Encryption Support

Man explaining something while pointing at piece of paper
Database Security Option Pack

Tech Specs

SQL EKM Provider Capability

  • The SQL EKM provider has been tested to support the Enterprise Editions of Microsoft SQL Server 2019, Microsoft SQL Server 2017, and Microsoft SQL Server 2016

Supported Platforms

  • Microsoft Windows Server: 2019 R2 Standard (64-bit configuration) and 2016 (64-bit configuration)

Supported Security World Software and nShield HSMs

  • The Database Security Option Pack for SQL Server is fully compatible with v12.40.2 or higher of the Security World Software and all current PCIe and network-attached HSMs

Supported Types of Database Encryption

From a security perspective, Microsoft SQL Server supports the use of cryptographic keys to protect its databases. These encryption keys can be used to perform two levels of encryption: 

  • Transparent Data Encryption (TDE): Encrypts entire databases without changing existing queries or applications. When SQL Server loads a TDE-encrypted database into memory from disk storage, it automatically decrypts it. This enables clients to query the database within the server environment without manual decryption. The database is re-encrypted when saved to disk storage. When using TDE, data is unprotected by encryption while in memory, and TDE supports one encryption key per database at a time.
  • Cell-Level Encryption (CLE): Requires specifying data and encryption key(s) for encryption. CLE uses one or more keys to encrypt individual cells or columns, enabling fine-grained access policies for sensitive database data. Only specified data is encrypted: other data remains unencrypted. This minimizes exposure in database servers and client applications. CLE can also be applied to tables encrypted with TDE. Note: CLE data is decrypted in memory as needed, and different encryption keys can encrypt separate data within the same table.

Supported Deployment Configurations

  • Stand-alone service 
  • Database failover clusters using either nShield Solo or nShield Connect
Two people discussing something in front of a computer

nShield Post-Quantum Option Pack

 

The nShield Post-Quantum Option Pack leverages the Entrust CodeSafe SDK and the liboqs open source library to provide quantum-resistant cryptographic algorithms to customers.

Benefits include: 

 

plum checkmark icon

Implement PQ Cryptography in an HSM

plum checkmark icon

Ensure PQ Readiness

plum checkmark icon

Compatible with nShield HSMs

plum checkmark icon

Get Future-Ready Experience

Post-Quantum Option Pack

Getting Started

Requirements

  • FIPS Level 3 nShield HSM 
  • CodeSafe developer toolkit 
  • CodeSafe activation license

Learn more about Codesafe.