Introduction
This document describes how to integrate the CyberArk Trust Protection Foundation with the Entrust nShield hardware security module (HSM) as a Root of Trust for storage encryption, to protect the private keys and meet FIPS 140-3 or FIPS 140-2.
Post‑Quantum Ready
This integration brings together the power of Entrust’s next‑generation nShield HSM platform and CyberArk technology to deliver security built for the quantum era. With support for NIST‑selected post‑quantum algorithms, the combined solution gives organizations a confident, future‑proof path to quantum‑safe cryptography. By enabling seamless adoption of hybrid and quantum‑resistant protection today, Entrust and CyberArk empower customers to stay ahead of evolving threats, safeguard mission‑critical keys and operations.
Product configurations
Entrust has successfully tested nShield HSM integration with CyberArk Trust Protection Foundation in the following configurations:
| Product | Version |
|---|---|
CyberArk Trust Protection Foundation |
25.3.0.2740 |
Base OS |
Windows Server 2025 |
Supported nShield hardware and software versions
Entrust has successfully tested with the following nShield hardware and software versions.
Module, OCS and softcard protection was tested in all configurations.
| HSM | Security World Software | Firmware | Image |
|---|---|---|---|
nShield 5c |
13.9.3 |
13.8.4 |
13.9.3 |
nShield XC |
13.9.3 |
13.8.3 |
13.9.3 |
Supported nShield HSM functionality
| Feature | Support |
|---|---|
Module |
Yes |
OCS cards |
No |
Softcards |
No |
nSaaS |
Yes |
FIPS Restricted World |
Yes 1 |
1 Keys cannot be exported when using FIPS restricted World. As a result, some integration functionality (such as HSM Central Private Key Generation) will only be supported on FIPS unrestricted and non-FIPS Security Worlds.
Requirements
Familiarize yourself with:
-
CyberArk Trust Protection Foundation documentation (https://docs.venafi.com).
-
The nShield HSM: Installation Guide and User Guide.
-
Your organizational Certificate Policy and Certificate Practice Statement, and a Security Policy or Procedure in place covering administration of the PKI and HSM:
-
The number and quorum of Administrator Cards in the Administrator Card Set (ACS), and the policy for managing these cards.
-
The number and quorum of Operator Cards in the Operator Card Set (OCS), and the policy for managing these cards.
-
The keys protection method: Module, Softcard, or OCS.
Currently Softcard and OCS protection methods are not supported. -
The level of compliance for the Security World, FIPS 140-3 or FIPS 140-2.
-
Key attributes such as key size, time-out, or need for auditing key usage.
-
| Entrust recommends that you allow only unprivileged connections unless you are performing administrative tasks. |
Open Issues
-
Wrapping of PQ Keys is currently not supported (NSE-73200).
PQ algorithms cannot be used on certificates.
-
Softcard and OCS protection is not supported (NSE-75822).
Currently being investigated so it can be supported in the future. Earlier integrations stated support for softcard and OCS, recent testing concluded they are not supported in earlier releases and the current version.
| Entrust Engineering NSE’s are used by Entrust as a reference to track open issues. If you want to discuss these issues with Entrust, use the number as a reference. |