Hardware security modules

Electrical power requirements

Make sure that the power supply in your computer is rated to supply the required electric power.

If your computer can supply the required electric power and sufficient cooling, you can install multiple modules in your computer.

Handling modules

The module contains solid-state devices that can withstand normal handling. However, do not drop the module or expose it to excessive vibration.

Before installing hardware, you must disconnect your computer from the power supply. Ensure that a grounded (earthed) contact remains. Perform the installation with care, and follow all safety instructions in this guide and from your computer manufacturer.
Static discharge can damage modules. Do not touch the module connector pins, or the exposed area of the module.

Leave the module in its anti-static bag until you are ready to install it. Always wear an anti-static wrist strap that is connected to a grounded metal object. You must also ensure that the computer frame is grounded while you are installing or removing an internal module.

Module operational temperature and humidity specifications

The module is designed to operate in moderate climates only. Never operate the module in dusty, damp, or excessively hot conditions. Never install, store, or operate the module at locations where it may be subject to dripping or splashing liquids.

Cooling requirements

An air velocity of 1.9 m/s (373 LFM) is recommended for a module in operation.

During installation, ensure there is adequate airflow around the module. Airflow from fans must be directed to the inlet surface of the module such that air is flowing through and across the length of the module. To maximize airflow, use a PCIe slot with no neighboring modules if possible. If airflow is limited, consider fitting extra cooling fans.

Ensure the module has adequate cooling. Failure to do so can result in damage to the module or computer.

To check the actual and maximum temperature of the module during operation, see the Maintenance of nShield Hardware section of the User Guide for your module and operating system. It is advised to do this directly after installing the module in its normal working environment. Monitor the temperature of the module over its first few days of operation.

Cooling recommendations for a desktop installation

For a desktop installation running in operating environmental conditions, dedicated airflow is required across the module. If the system cannot provide the necessary airflow, Entrust recommends you add a sufficiently powerful dedicated fan to directly cool the module. For details regarding the cooling requirements see Cooling requirements.

Cooling recommendations for a server installation

The desktop cooling recommendations further apply to a server installation. In addition, power and airflow control software is sometimes available in a server installation. If this is the case, Entrust recommends you:

  • Configure the target air velocity in the software to ensure it does not fall below the airflow recommendations of the module. For details regarding the cooling requirements, see Cooling requirements.

  • Ensure that the PCIe slot has been configured to fulfil the module power requirements.

Physical location considerations

For the certification of Entrust nShield HSM, refer to the Security Manual. In addition to the intrinsic protection provided by an nShield HSM, customers must exercise due diligence to ensure that the environment within which the nShield HSMs are deployed is configured properly and is regularly examined as part of a comprehensive risk mitigation program to assess both logical and physical threats. Applications running in the environment shall be authenticated to ensure their legitimacy and to thwart possible proliferation of malware that could infiltrate these as they access the HSMs’ cryptographic services. The deployed environment must adopt 'defense in depth' measures and carefully consider the physical location to prevent detection of electromagnetic emanations that might otherwise inadvertently disclose cryptographic material.