Introduction
This guide describes how to integrate the nShield Post-Quantum Cryptography (PQC) Option Pack library, also known as PQCOP, with an Entrust nShield® Hardware Security Module (HSM) to provide secure solutions.
The nShield PQC Option Pack enables Security World Software users to generate and use keys with public-key cryptographic algorithms selected by NIST as part of the Post-Quantum Cryptography standardization process.
The nShield PQC Option Pack is installed on top of your Security World Software, allowing you to use your existing keys and algorithms alongside post-quantum algorithms.
Product configurations
We have successfully tested nShield HSM integration with the nShield PQC Option Pack on a Linux server running Ubuntu 22.04 and a Windows server running Windows Server 2022 in the following configurations:
| PQCOP | CodeSafe | Security World | HSM | Firmware | Netimage | FIPS Level 3 |
|---|---|---|---|---|---|---|
1.4.1 |
13.9.3 |
13.9.3 |
nShield Connect XC |
13.8.3 |
13.9.3 |
No |
1.4.1 |
13.9.3 |
13.9.3 |
nShield 5c |
13.8.4 |
13.9.3 |
No |
Requirements
Ensure that you have supported versions of all products as described in Product configurations.
To perform the integration tasks, you must have:
-
rootaccess on the operating system. This is required to install Security World. This can be done by havingsudoaccess. -
Access to
nfastaccounts.
sudo is used in some commands; however, it is not necessary if the user has nfast group access.
|
Before starting the integration process, familiarize yourself with the documentation and setup processes for:
-
The HSM (Documentation only. This guide assumes your HSM is already set up.)
-
CodeSafe running on the nShield Connect XC
-
CodeSafe 5 running on the nShield 5c
-
The nShield PQC Option Pack
Before using the nShield software, you need to know:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
The number and quorum of Operator Cards in the OCS, and the policy for managing these cards.
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
For more information, see the documentation for the HSM.
| ML-DSA is now supported in firmware and is better used in the main product line than through the nShield PQC Option Pack. LMS will be the default type in nShield PQC Option Pack for releases after 1.4.1. |
More information
For more information about OS support, contact Entrust nShield Support at https://nshieldsupport.entrust.com.
Access to the Entrust nShield Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.