Entrust nShield Connect HSMs

The security of your applications depends

on where you keep your keys
HIGHLIGHTS
Comprehensive capabilities
Entrust nShield® Connect hardware security nShield Connect HSMs are tamper-resistant
modules (HSMs) are FIPS 140-2 Level 3 and platforms that support key generation
Common Criteria EAL4+ (EN 419 221-5) and strong protection when not in use,
certified appliances that deliver scalable and while providing a secure environment for
highly available cryptographic key services cryptographic functions such as encryption
across networks. and digital signing for an extensive range of
applications, such as:
• High cryptographic transaction rates
and flexible scaling • Certificate authorities

• Integrate with over 150 leading • Code signing

application provider solutions
• Custom software
• CodeSafe option for protecting
your application and business • Cloud and containerized applications
logic within the nShield HSM’s
• Web services
secure execution environment
• Remote signing
• Cloud Disaster Recovery (CDR)
option enables convenient and cost- • Blockchain
effective way to add off-site failover
cryptographic resources to increase • Database encryption
redundancy and reliability across any
nShield as a Service region

Learn more about nShield Connect HSMs at entrust.com

 nShield Connect HSMs

KEY FEATURES & BENEFITS Remote Configuration - Serial console

Highly flexible architecture version of Connect XC allows simple
installation for data center staff, and
Our unique Security World architecture lets
allows HSM and client configuration
you combine nShield HSM models to build a
without requiring physical access to the
mixed estate that delivers flexible scalability
and seamless failover and load balancing. HSM front panel and front panel settings.

nShield Monitor - Provides a single

Central management, configuration dashboard of all your nShield HSMs,
and monitoring helping you to optimize operations
The KeySafe 5 utility provides the central and increase uptime. Separate
management, configuration and monitoring data sheet available.
of an estate of HSMs and related Security
Domains through an intuitive web-based UI Protect your proprietary
and RESTful APIs. applications
Process more data faster The CodeSafe option provides a secure
environment for running sensitive
nShield Connect HSMs support high
applications within nShield FIPS 140-2
transaction rates, making them ideal for
environments where throughput is critical, Level 3 physical boundary. Furthermore,
such as enterprise, retail, and IoT. with CodeSafe the optional Post Quantum
SDK supports NIST’s PQC algorithms
POWERFUL REMOTE FEATURE OPTIONS identified for standardization Reference
the CodeSafe data sheet for more detailed
Eliminate visits to the data center
information.
nShield Remote Administration - Enables
the secure remote presentation of
authorization smart cards to remote HSMs
to execute maintenance tasks including
enrolling new HSMs and reassigning/
reconfiguring existing HSMs. Separate
data sheet available.

Learn more about nShield Connect HSMs at entrust.com

 nShield Connect HSMs

AVAILABLE MODELS AND PERFORMANCE

nShield Connect models XC Base XC Mid XC High
RSA signing performance (tps) for NIST recommended key lengths
2048 bit 430 3,500 8,600
4096 bit 100 850 2,025
ECC prime curve signing performance (tps) for NIST recommended key lengths
256 bit 680 7,5152 14,4002
Symmetric encryption (KB/sec) 1024 byte plain text
AES 128 bit 825 7,700 11,300
AES 256 bit 795 7,700 9,700
Key generation with ECC activation (keys/sec)
RSA 2048 bit 6.0 6.2 7.3
ECDSA P-192 bit 110 650 1,050
ECDSA P-256 bit 100 630 1,050
ECDSA P-521 bit 65 480 710
Client licenses
Included 3 3 3
Maximum 10 20 unlimited1

Note 1: Requires enterprise client license.

Note 2: Performance indicated requires ECDSA fast RNG feature activation available free of charge on request from Entrust nShield Support.

Learn more about nShield Connect HSMs at entrust.com

 nShield Connect HSMs

TECHNICAL SPECIFICATIONS
Application
Supported programming Host
Supported cryptographic algorithms Security compliance
platforms interfaces connectivity
(APIs)

• Full NIST Suite B implementation • Windows and • PKCS#11 • Dual Gigabit • FIPS 140-2 Level 2 and
Linux operating Ethernet ports Level
• Asymmetric algorithms: RSA, Diffie-Hellman, • OpenSSL
systems including (two network 3 certified
ECMQV, DSA, El-Gamal, KCDSA, ECDSA
distributions from • Java (JCE) segments
(including NIST, Brainpool & secp256k1 • IPv6 certified and USGv6
RedHat, SUSE, and with network
curves), ECDH, Edwards (Ed25519, Ed25519ph • Microsoft CAPI/ Ready compliant
major cloud service bonding
providers running CNG option)
• Symmetric algorithms: AES, • eIDAS and Common
AES-GCM, Arcfour, ARIA, Camellia, CAST, MD5 as virtual machines • Web Services Criteria EAL4+ AVA_
HMAC, RIPEMD160 HMAC, SEED, SHA-1 HMAC, or in containers (requires Web VAN.5 and ALC_ FLR.2
SHA-224 HMAC, SHA-256 HMAC, SHA-384 Services Option certification against EN 419
HMAC, SHA-512 HMAC, Tiger HMAC, 3DES Pack) 221-5 Protection Profile,
under the Dutch NSCIB
• Hash/message digest: MD5, SHA-1, SHA-2 • nCore scheme
(224, 256, 384, 512 bit), HAS-160, RIPEMD160,
SHA-3 (224, 256, 384, 512 bit) • Recognized as a Type 1
QSCD;
• Elliptic Curve Key Agreement (ECKA) available
Type 2 QSCD together with
via Java API
Entrust SAM
and nCore APIs
• BSI AIS 20/31 compliant
• Elliptic Curve Integrated Encryption Scheme
(ECIES) available via Java API, PKCS#11 and
nCore APIs
• TUAK algorithm support for mutual
authentication and key generation (3GPP)
• NIST’s PQC algorithms identified for
standardization including CRYSTALS-Dilithium,
FALCON, and SPHINCS+ digital signature
algorithms (requires CodeSafe PQ SDK)

Safety, EMC, &

Management and
environmental High availability Physical characteristics
monitoring
compliance

• UL, CE, FCC, UKCA, • All solid-state storage • nShield Remote Configuration (available • Standard 1U 19in. rack mount Dimensions:
RCM, Canada ICES, on Serial Console-configured models) 43.4 x 430 x 705mm (1.7 x 16.9 x 27.8in)
• Field serviceable fan
RoHS, WEEE
tray • nShield Remote Administration • Weight: 11.5kg (25.4lb)
(purchased separately)
• Dual hot-swap power • Input voltage: 100-240V AC auto
supplies • nShield Monitor (purchased separately) switching 50-60Hz
• Full support for • Secure audit logging • Power consumption: up to 2.0A at 110V
clustering HSMs and AC, 60Hz | 1.0A at 220V AC, 50Hz
• Syslog diagnostics support and Windows
automated failover/
performance monitoring • Heat dissipation: 327.6 to 362.0 BTU/hr
load balancing
(full load)
• SNMP monitoring agent
• Network bonding
• Reliability - MTBF (hours)3, Connect XC:
supporting active
107,384 hours
backup mode and
802.3ad mode

Note 3: Calculated at 25 degrees centigrade operating temperature

using Telcordia SR-332 “Reliability Prediction Procedure for Electronic
Equipment” MTBF Standard
 To find out more about
Entrust nShield HSMs

[email protected]
entrust.com/HSM

ABOUT ENTRUST CORPORATION

Entrust keeps the world moving safely by enabling
trusted experiences for identities, payments, and
digital infrastructure. We offer an unmatched
breadth of solutions that are critical to enabling
trust for multi-cloud deployments, mobile identities,
hybrid work, machine identity, electronic signatures,
encryption, and more. With more than 2,800
colleagues, a network of global partners, and
customers in over 150 countries, it’s no wonder the
world’s most entrusted organizations trust us.

Learn more at
entrust.com/HSM
Entrust, nshield, and the hexagon logo are trademarks, registered trademarks, and/or service marks of Entrust
Corporation in the U.S. and/or other countries. All other brand or product names are the property of their
Global Headquarters
respective owners. Because we are continuously improving our products and services, Entrust Corporation
reserves the right to change specifications without prior notice. Entrust is an equal opportunity employer. 1187 Park Place, Minneapolis, MN 55379
©2022 Entrust Corporation. All rights reserved. HS23Q3-entrust-nshield-connect-ds [email protected]