nShield 5c 10G Release Notes

Introduction

These release notes apply to the first release of the nShield 5c 10G Hardware Security Module (HSM) and the related v14.0.4 image..

These release notes contain information specific to this release such as new features, defect fixes, and known issues. They may be updated with issues that have become known after this release has been made available. For the latest version, see https://trustedcare.entrust.com/. Access to the Support Portal is available to customers under maintenance. To request an account, contact nshield.support@entrust.com.

We continuously improve the user documents and update them after the general availability (GA) release. Changes in the document set are recorded in these release notes and are published at https://nshielddocs.entrust.com.

Updated nShield Software Release Policy

Entrust has recently introduced an update to the nShield Software release policy to better define the type of release and the associated update and support policy. As part of this, the concept of Long Term Support (LTS) and Standard Term Support (STS) software releases has been introduced, with each software release being either a LTS or STS release.

For more information on the software release policy, see the nShield Security World Release Information. Alternatively contact https://trustedcare.entrust.com/ for more information.

Purpose of the nShield 5c 10G

The nShield 5c 10G is Entrust’s newest HSM with support for 10G connectivity to meet the needs of high-performance data centers where fiber or copper connectivity is required. Customers can choose fiber or copper connectors based on their needs. The nShield 5c 10G features four network ports (management and data), hot-swappable components (fan trays, power supplies, battery), simplified front panel and command line interface, remote power control, and remote management via KeySafe 5. The nShield 5c 10G delivers the same high-performance cryptographic capabilities as other nShield 5c variants and is covered by the same FIPS and Common Criteria certifications.

Versions of these Release Notes

Revision Date Description

1.0

2025-11-19

Release notes for the first release of the nShield 5c 10G HSM.

Product versions

Firmware ISO versions

Version Date Description

v14.0.4

2025-11-12

First release of the nShield 5c 10G HSM. This ISO includes nShield 5c 10G firmware images with support for FIPS and Common Criteria via nShield 5s firmware versions 13.4.5 (FIPS) and 13.5.1 (CC) .

nShield 5c 10G image versions

Version Date Description

v14.0.4

2025-11-12

First release of the nShield 5c 10G HSM containing the latest features.

Features of the nShield 5c 10G

The nShield 5c 10G is available with both FIPS and Common Criteria certifications.

Basic Front Panel UI (NSE-50929)

The user interactive features available in the Front Panel of the nShied 5c 10G are:

  • Power control

  • Factory stating and recovery mode

  • Unit information:

    • Identification (ESN, serial number, Image version)

    • Status (boot mode, health)

    • Basic network configuration (read-only)

    • Tamper log

Simplified Command Line Interface (NSE-58916, NSE-65199)

The serial CLI in the nShield 5c 10G is a simplified version of the nShield 5c serial CLI. Its purpose is to provide for initial network and KeySafe 5 agent configuration. This interface includes the following functionality:

  • Basic network configuration

  • KeySafe 5 Agent’s initial configuration

  • General utility commands to do basic unit operations such as setting time & date, rebooting, and unit identification.

  • Remote power function to allow the nShield 5c 10G to be rebooted remotely.

For a complete list of all commands supported in the CLI type 'help' in the CLI interface.

Refer to the Security World manual for more information on how to use the Remote Power function.

Both, the Remote Power and the CLI can be disabled by the user as required.

Management via KeySafe 5 (NSE-55504)

Managing the full configuration of the nShield 5c 10G is performed through KeySafe 5. The RFS is not supported with nShield 5c 10G. The following functionality can be configured via the KeySafe 5 GUI or the KeySafe 5 REST APIs:

  • Network configuration including network bonding options

  • Time configuration

  • System logging configuration

  • Upgrade

  • Factory state

  • Unit information

  • Tenant configuration

  • Alerts

  • CodeSafe 5 configuration

For more information about KeySafe 5 please refer to the KeySafe 5 user guide.

Security Features (NSE-55563, NSE-58987, NSE-57365)

The nShield 5c 10G uses UEFI Secure Boot and secures stored data using a Trusted Platform Module (TPM) and LUKS based disk encryption.

Serial Remote Function (NSE-57807)

The Remote Power function on the nShield 5c 10G provides a power-toggling capability via the serial port, allowing for remote power on/off, even if the main system is not powered on/available.

Firmware images

nShield 5c 10G image packages

The nShield 5c 10G consists of three major firmware components:

  • Primary Image

  • Recovery Image

  • Bootloader

This product ships with a complete set of images, but this release only supplies an upgrade image (.npkg) for the primary image component of the 5c 10G firmware. For more information on the nShield 5s latest, FIPS and CC versions please refer to the release notes for that product.

nShield 5c 10G images

Type 5c 10G Version Description Directory VSN

Latest (v13.5.6)

v14.0.4

Package supporting the latest nShield 5s firmware.

/firmware/nShield5c10g/fips/nShield5c10G-14.0.4-vsn2.npkg

2

FIPS Approved

v14.0.4

Package supporting nShield 5s FIPS firmware release v13.4.5.

/firmware/nShield5c10g/fips/nShield5c10G-14.0.4-vsn2.npkg

2

CC Approved

v14.0.4

Package supporting nShield 5s Common Criteria Certified firmware release 13.5.1.

/firmware/nShield5c10g/cc/nShield5c10G-14.0.4-vsn2.npkg

2

Compatibility

The nShield 5c 10G has been tested with the Security World v13.6.12 LTS Release 4 clientside. The nShield 5c 10G is compatibale with all the functionality supported by Security World: i.e. operating systems, APIs, etc. For more information on all the functionality provided by Security World please refer to the Security World v13.6.12 documentation and release notes.

Note: The nShield 5c 10G does not currently support STS Security World releases. Support for new STS releases will be introduced in a future software update.

Known Issues

Reference Scope Status Description

NSE-71640

5c 10G

Open

BOOTUF_LOGEXP boot error (service restart)

On rare occasions, the front panel may display a BOOTUF_LOGEXP error, immediately after boot. Rebooting unit should clear the error. If rebooting the unit clears the error, the error is benign. If the error is not cleared, contact support.

NSE-71847

5c 10G

Open

CLI: netcfg unconfigure fails to clear IP entries in netstatus

On rare occasions, when running netcfg unconfigure, the previous IPV4 address may still show up in netstatus. Should that happen, a reboot will clear the transient error.

NSE-71867

5c 10G

Open

CLI: Inconsistent "boot mode" displayed on the CLI when factory stating a ReConnect

When the factory state operation is performed via the CLI the boot mode incorrectly indicates PRIMARY instead of FACTORY. When the factory state operation is performed via FPUI, the boot mode indicates FACTORY.

NSE-72013

5c 10G

Open

CLI: Network services are not always restarted following a config change on ReConnect.

Workaround: If you have SLAAC configured and you want to change it to a static IPV6 address, you must first run "netcfg6 unconfigure" to remove the SLAAC setting and then apply the static IP address change. Failing to do it will require a reboot of the unit for the change to take effect.

NSE-72220

5c 10G

Open

CLI: Adding tls.crt or ca.crt on a ReConnect before it’s ready to be used results in a FileNotFoundError and traceback.

Workaround: Following a factorystate, wait until the unit is fully operational (as shown by the front panel 'System Status' page, when the unit becomes 'Active') before trying to configure the Keysafe 5 agent. Typically, a factorystate takes 12-15 minutes to complete.

NSE-73833

5c 10G

Open

Continual reduction in the value reported in "Virtual_Memory_Free"

The Keysafe 5 Virtual_Memory_Free statistic is not a useful representation of system memory usage. It will be removed in a future release.

NSE-73894

5c 10G

Open

CLI: Prevent the user setting of default gateways for both IPv4 and IPv6 static IPs

The use of two default gateways, at same time, for IPv4 and IPv6 static IPs, is unsupported in the v14.0.4 release of nShield 5c 10G image

Open in v14.0.4.

NSE-74121

5c 10G

Open

"HSMENR HSM enrollment failed" displayed after recovering from removing rear battery and PSU

The HSMENR ("HSM enrollment failed") boot error may occur after the device has recovered from a low-voltage tamper state, triggered by removing all power from the unit, involving removal of both the mains power and the chassis backup battery, for an extended period of time, typically longer than 12 hours.

Workaround: If the HSMENR error appears, place the unit into recovery mode to resolve the issue.

NSE-74271

5c 10G

Open

CLI: ReConnect uses a Temporary IPv6 Address for a Client instead of a specified static IPv6 address

When a static IPv6 address is assigned to the nShield 5c 10G client within a separated network environment, the Hardserver is currently not recognizing the configured address, resulting in the HSM being reported as unavailable during enquiry. Instead, the Tenant machine is defaulting to a temporary IPv6 address.

Workaround: When the Client configuration is updated to use this temporary address, the HSM becomes visible and functions as expected.

Open in v14.0.4.