Environment; Hsm Function And Architecture - Entrust nShield Security Manual

3. Environment

3.1. HSM function and architecture

The nShield HSMs perform encryption, digital signing and key management on behalf of
an extensive range of commercial and custom-built applications including Public Key
Infrastructures (PKIs), identity management systems, application-level encryption and
tokenization, SSL/TLS, and code signing.
nShield HSMs provide a hardened, tamper-resistant environment for secure
cryptographic processing, key generation and protection and key, data and application
encryption. They are available in three FIPS 140-2 certified form factors to support a
variety of deployment scenarios.
All nShield HSMs integrate with the nShield Security World architecture. This supports
combinations of different nShield HSM models to build a unified ecosystem that delivers
scalability, seamless failover and load balancing. The nShield Security World architecture
supports a specialized key management framework that spans the nShield HSM range.
nShield HSMs all define the physical FIPS-certified security boundary or HSM Layer
within which Application Keys, Control Keys and Infrastructure Keys are protected. Using
quorums of Administrator Card Set (ACS) cards, Infrastructure Keys can be securely
backed up and shared across multiple HSMs. When this is performed, HSMs that share
the same Infrastructure Keys develop a common Security World that provides an
expanded logical security boundary that extends beyond the physical HSM Layer and
overlaps into the enterprise IT environment or Application Layer. The abstraction of
Application Keys into Application Key Tokens enables these tokens to be stored outside
the physical HSM and within the corporate IT environment.
nShield® Security Manual 10 of 90