nShield Connect

nShield Connect HSMs

nShield Connect HSMs are certified hardware security appliances that deliver cryptographic services to a variety of applications across the network. nShield HSM appliances are hardened, tamper-resistant platforms that perform such functions as encryption, digital signing, and key generation and protection. With their comprehensive capabilities, these HSMs can support an extensive range of applications, including certificate authorities, code signing and more.

Remote configuration eliminates costly trips to the data center

The latest nShield Connect XC models offer an optional serial port that allows enterprises to eliminate costly repeat trips to the data center. Remote Configuration capabilities include:

  • Initiating and changing an HSM’s network settings, e.g. IP address
  • Supporting provider/tenant deployment models where the nShield HSM appliance can be easily configured by the provider before passing control of the HSM to a tenant. Separation of roles ensures the cryptographic key material is not exposed to the provider.
  • Purging key material and decommissioning the nShield HSM appliance at the end of a usage cycle in preparation for its next deployment.

Technicians simply need to rack and cable the nShield HSM appliance and connect a serial concentrator in the data center to prepare the nShield Connect XC for full remote configuration and administration. This reduces the need for trained resources in the data center and provides customers more efficiency and control over their HSMs.

nShield Connect Benefits

Powerful Architecture

Build and grow your HSM estate using Security World, Entrust’s unified ecosystem that delivers scalability, seamless failover, and load balancing.

Faster Data Processing

Get some of the highest cryptographic transaction rates in the industry. Ideal for environments where throughput is critical.

Protection of sensitive business and application logic

Execute code within nShield boundaries, protecting your applications and the data they process.

Technical Specifications

Certified Hardware Solutions

Entrust has earned a broad set of certifications for nShield products. These certifications help our customers to demonstrate compliance while also giving them the assurance that their nShield HSMs meet stringent industry standards.

Security Compliance

  • FIPS 140-2 Level 2 and Level 3
  • USGv6 accreditation
  • eIDAS and Common Criteria EAL4 + AVA_VAN.5 and ALC_FLR.2 certification against EN 419 221-5 Protection Profile, under the Dutch NSCIB scheme
    • Can form the basis of an EN 419 241-2 certified remote signing system for eIDAS.
    • Compliant with BSI AIS 31 for true and deterministic random number generation
  • Common Criteria EAL4+ (AVA_VAN.5) for nShield Connect+ models
  • Recognition of nShield Connect+ as a Qualified Signature Creation Device (QSCD)
  • ICP Brazil certification to NSC3 level

Safety and Environmental Standards Compliance

  • UL, CE, FCC, RCM, Canada ICES
  • RoHS2, WEEE

High Transaction Rates

nShield HSMs boast high elliptic curve cryptography (ECC) and RSA transaction rates. ECC, one of the most efficient cryptographic algorithms, is particularly favored where low power consumption is crucial, such as applications running on small sensors or mobile devices.




XC Base



XC Mid

XC High

2048 RSA Signing







4096 RSA Signing







256 ECC Signing







Wide Support for APIs, Cryptographic Algorithms and OSs

Supported APIs

  • PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI/ CNG and Web Services (requires Web Services Option Pack)

Supported Cryptographic Algorithms

  • Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph)
  • Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES
  • Hash/message digest: SHA-1, SHA-2 (224, 256, 384, 512 bit), HAS-160
  • Full Suite B implementation with fully licensed ECC including Brainpool and custom curves
  • Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs
  • Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11 and nCore APIs

nShield HSMs offers support for the majority of these cryptographic algorithms as part of the standard feature set. For organizations wishing to use ECC or South Korean algorithms, optional activation licenses are needed.

Supported Platforms

Windows and Linux operating systems including distributions from RedHat, SUSE and major cloud service providers running as virtual machines or in containers.


Calculated at 25°C operating temperature using Telcordia SR-332 “Reliability Prediction Procedure for Electronic Equipment” MTBF Standard

  • Connect XC   107,384 hours
  • Connect+   99,284 hours