Introduction

This guide describes how to:

install and configure Entrust Cryptographic Security Platform Key Management Vault
integrate Entrust Cryptographic Security Platform Key Management Vault and Entrust nShield HSM for establishing a hardware root of trust for all encryption keys
protect the Cryptographic Security Platform Key Management Vault Admin Key in the HSM

When all of these procedures are performed, the combined solution facilitates regulatory compliance with a FIPS 140 Level 3 and Common Criteria EAL4+ root of trust.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
Until and including v13.4.5 firmware, all nShield HSMs require specific activation to utilize the elliptic curve features. See the nShield Security World documentation at nShield Product Documentation website.

Product configuration

Entrust has successfully tested nShield HSM integration with Key Management Vault in the following configurations:

Vendor	Product	Version
Entrust	Cryptographic Security Platform	1.0
Entrust	Key Management Vault	10.4.5
Entrust	nShield Security World	13.6.8
Entrust	nShield HSM hardware	Connect XC, nShield 5c

Vendor

Product

Version

Entrust

Cryptographic Security Platform

1.0

Entrust

Key Management Vault

10.4.5

Entrust

nShield Security World

13.6.8

Entrust

nShield HSM hardware

Connect XC, nShield 5c

Supported features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module-only key	Not Supported
OCS cards	For FIPS Authorization Only
nSaaS	Not tested

Feature

Support

Softcards

Yes

Module-only key

Not Supported

OCS cards

For FIPS Authorization Only

nSaaS

Not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

HSM	Security World Software	Firmware	Image
Connect XC	13.6.8	12.72.3 (FIPS 140-2 certified)	13.6.7
nShield 5c	13.6.8	13.4.5 (FIPS 140-3 certified)	13.6.7