Introduction

This guide describes:

The procedure to install and configure KeyControl Vault.
The procedure to integrate Entrust KeyControl Vault and Entrust nShield HSM for establishing a hardware root of trust for all encryption keys.
The procedure to protect the KeyControl Vault Admin Key in the HSM.

When all of these procedures are performed, the combined solution facilitates regulatory compliance with a FIPS 140 Level 3 and Common Criteria EAL4+ root of trust.

Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks.
Until and including v13.4.5 firmware, all nShield HSMs require specific activation to utilize the elliptic curve features. See the nShield Security World documentation at nShield Product Documentation website.

Product configuration

Entrust has successfully tested nShield HSM integration with KeyControl Vault in the following configurations:

Product	Version
KeyControl Vault	10.4.1
nShield HSM hardware	Connect XC, nShield 5C

Product

Version

KeyControl Vault

10.4.1

nShield HSM hardware

Connect XC, nShield 5C

Supported features

Entrust has successfully tested nShield HSM integration with the following features:

Feature	Support
Softcards	Yes
Module-only key	Not Supported
OCS cards	For FIPS Authorization Only
nSaaS	Not tested

Feature

Support

Softcards

Yes

Module-only key

Not Supported

OCS cards

For FIPS Authorization Only

nSaaS

Not tested

Supported nShield hardware and software versions

Entrust has successfully tested with the following nShield hardware and software versions:

Connect XC

Tested configurations:

HSM	Security World Software	Firmware	Image	FIPS 140 Level 3
nShield 5c	13.6.3	13.4.5 (FIPS 140-2 Certified)	13.6.5	Yes
Connect XC	13.6.3	12.72.3 (FIPS 140-2 certified)	13.6.5	Yes