Entrust (nCipher) nShield Connect

Entrust (nCipher) nShield Connect

Common Models

  • nShield Connect+: 500+, 1500+, 6000+
  • nShield Connect XC: XC Base, XC Medium, XC High (NH20xx series)

FIPS Status

  • Current validation: FIPS 140-2 Level 3 (Connect+/XC)
  • Migration path: FIPS 140-3 available in the newer nShield 5 family; we plan phased cutovers and mixed estates (Connect XC + nShield 5) where required.

PQC (Post-Quantum) Support

  • Algorithms: Support for NIST-standardized ML-KEM (FIPS 203 / Kyber) and ML-DSA (FIPS 204 / Dilithium) via Entrust’s PQ enablement (nShield 5 native) or hybrid patterns on Connect XC (host PQ libraries with key protection, wrapping, and policy enforcement anchored in the Security World).
  • Co-existence (“dual-stack”): Run classical (RSA/ECDSA) and PQC side-by-side, with policy routing and staged rollouts per app.

Dual Private-Key Format Support (Seed vs Expanded)

  • Context: PQC introduces two private-key forms—compact seeds (e.g., ~64 bytes) and expanded keys (≈1.6–4 KB). The IETF is progressing PKCS#12 seed-only profiles, which impacts storage, backup, and interchange.
  • What we implement on nShield:
    • Seed custody in HSM: Store/guard compact seeds as high-assurance key objects; control export with dual control/split knowledge and policy tags.
    • Deterministic re-derivation: Generate expanded keys inside the trust boundary from seeds for signing/KEM, avoiding persistent storage of large keys when desired.
    • Expanded-key import & use: Where applications require expanded private keys, import/wrap them into Security World with lifecycle controls (labeling, rotation, archival).
    • Backup & portability: HSM-wrapped seed objects (and, if needed, expanded keys) with tamper-evident ceremony records; support for seed-only PKCS#12 once standardized, plus migration runbooks from PFX with expanded keys to seed-centric custody.
    • Policy & audit: Enforce who can materialize expanded keys, when, and where (online/offline tiers); produce auditor-ready evidence of seed handling and derivation events.

How SafeCipher Helps (Procure • Deploy • Support)

  • Procurement & contracts: Sizing, pricing, spares/RMA, co-termed renewals; roadmap planning for FIPS 140-3 transitions (Connect XC → nShield 5).
  • Deployment & integration: Security World design, OCS/SO management, client toolchains (PKCS#11/CNG/JCE), HA/DR, firmware governance, HSM-anchored PQC pilots.
  • Operations: 24×7/BH support options, monitoring, capacity tuning, seed/expanded key ceremonies, backup/escrow, and auditor-ready documentation.
  • Migrations: Classical→PQC dual-stack rollouts, seed-only PKCS#12 adoption, provenance-preserving re-wraps, and phased application cutovers with rollback plans
Bottom line
Whichever HSM or crypto platform you choose, we can help you buy it right, deploy it right, and keep it right—without locking you to a single vendor.