nShield HSMs

The Entrust nShield HSMs address the critical challenge of securing cryptographic keys and processes in highly sensitive environments, such as those requiring FIPS 140-2 Level 3 and Common Criteria EAL4+ compliance. These hardware security modules are designed as tamper-resistant platforms, ensuring the secure generation, protection, and management of cryptographic keys.

Technically, the nShield HSMs leverage the unique Security World architecture, which allows for flexible scalability, seamless failover, and load balancing by combining different nShield HSM models. This architecture supports a wide range of cryptographic algorithms, including RSA, ECDSA, and AES, with high transaction rates – for example, up to 7,700 AES 256-bit key generations per second and 1,050 ECDSA P-256 bit signatures per second.

Operationally, the KeySafe 5 utility provides central management, configuration, and monitoring of the HSM estate through an intuitive web-based UI and RESTful APIs. This simplifies the administration of HSMs, especially in hybrid environments where both on-premise and cloud-based deployments are used. The nShield as a Service option further enhances flexibility by offering subscription-based access to dedicated HSMs in the cloud, facilitating easy migration and hybrid deployment strategies.

Key operational considerations include the need for careful planning in mixed deployment scenarios to ensure integration and failover. The use of CodeSafe software allows developers to execute sensitive applications within the secure boundary of the HSM, adding an extra layer of protection. However, this requires careful management of resources and potential performance impacts, especially when scaling to large, distributed environments.