Data Security and Key Management - Thales e-Security

nShield Solo XC & Solo+

nShield Solo

nShield Solo Series

Solo+ model and
Solo XC

Server Embedded HSMs


The nShield Solo series, composed of the Solo+ and new Solo XC model, is a high-assurance security solution delivered as a PCIe card designed for embedding in stand-alone servers or appliances. The nShield Solo series delivers dedicated cryptographic offload and acceleration capability to satisfy the highest performance requirements. nShield Solo is ideal for use within security appliances to achieve FIPS-grade security hardening.

Fully supporting the Thales Security World architecture, nShield Solo provides an ideal combination of high assurance and operational ease. This makes it easier for you to define and enforce security policies, such as access control and separation of duties, while also automating burdensome and risk-prone administrative tasks including back-ups and compliance reporting.

nShield Solo is fully compatible with the rest of the nShield HSM family, enabling mixed deployments and easy expansion as performance requirements increase. nShield Solo is available in various performance models, including the Solo XC’s most accelerated model to date, supporting best-in-class elliptical curve cryptography (ECC) transaction rates. And helping customers protect powerful, mission-critical custom algorithms within the secure boundaries of the HSM, the Solo XC series expands CodeSafe, nShield’s unique run-time environment.

The nShield Solo+ is certified to FIPS 140-2 (Solo XC model is FIPS-pending).

Benefits of nShield Solo

  • Embedded form factor for dedicated performance enhancement

  • Support high volume, enterprise transactions with accelerated transaction rates

  • Spacious run-time environment protects powerful custom apps within HSM

    nShield Solo Features

    Security Features  

    nShield HSMs and the Thales Security World architecture combine a number of technologies to provide multi-layered security as follows:

    Physical security

    • A dedicated, card based security module that isolates cryptographic processes and keys from applications and host operating systems – accessible only through tightly controlled cryptographic APIs.
    • Protect execution of custom, security-critical applications within the HSM boundary (CodeSafe option)
    • Guard against tampering using specialty materials
    • Detect attack attempts by monitoring hardware

    Logical security

    • Users authenticated using smart cards, avoiding reliance on weak and often shared passwords
    • Clear separation of duties distinguish between administrators and key custodians in contrast to software based systems where application super-users or root-level administrators might enjoy widespread entitlements
    • Minimize the threat of malicious insiders by requiring administrators to present smart cards as a quorum to perform particularly sensitive tasks such as key recovery. Highly configurable and strongly enforced within the HSM.
    • Integrity validation and policy enforcement for nShield-protected applications (CodeSafe option)

    Operational Features

    The nShield family of HSMs and the Thales Security World architecture deliver both security and convenience by automating important key management tasks, including:

    • The power to extend the organization’s existing data backup, replication and file sharing practices to include application keys—dramatically simplifying HSM management and minimizing costly HSM-specific practices
    • Remote Administration cuts costs by letting administrators and operators manage distantly deployed HSMs from their local office
    • Wide range of standard application interfaces coupled with an extensive pre-testing program with leading application vendors minimizes deployment risk
    • Boost performance and optimize client machine capacity through cryptographic acceleration and by off-loading resource-intensive operations
    • Unlimited key storage capacity offers high scalability
    • Back-up methods avoid the need to archive keys in dedicated hardware or costly backup HSMs
    • Combine multiple HSMs to create a highly resilient network for load balancing and failover

    nShield Solo Options and Accessories


    Developer Software & Options


    Developer Software & Options

    Performance Ratings

    The nShield Solo is available in multiple performance variants as follows:

    • FIPS-pending Solo XC models: XC Base, XC Mid, and XC High
    • FIPS-certified Solo+ models: 500+ and 6000+

    Please consult the nShield Solo data sheet for performance data.


    The nShield Solo+ is available in FIPS 140-2 Level 2 and Level 3 variants. The nShield Solo XC is FIPS-pending.

    CipherTools Developer Toolkit

    Using the CipherTools Developer Toolkit, developers take full advantage of the advanced integration capabilities available for the nShield HSM family when applying custom applications. The Toolkit includes detailed tutorials, reference documentation, sample programs written in a range of high level languages, and additional libraries to expand capabilities for integration with applications beyond those that can be achieved by the standard application program interfaces (APIs).


    CodeSafe enables developers to execute applications within the nShield HSM, protecting them from threats such as insider attacks, malware, and Trojans that they would be vulnerable to on typical server platforms. CodeSafe provides a “sand box” where code can be validated for integrity—ideal for applications residing in untrusted locations. CodeSafe provides fine-grained access control for security-critical resources that are protected on the device, such as private keys and non-volatile user memory. Sample applications include digital meters, authentication agents, time-stamp engines, audit loggers, digital signature agents, and custom encryption processes. CodeSafe is available for all nShield FIPS 140-2 Level 3 certified HSMs excluding the nShield Edge.


    Elliptic Curve Cryptography (ECC) Activation

    nShield HSMs offer a large number of cryptographic algorithms as part of the standard feature set, including AES, DSA and RSA. For organizations wishing to use ECC, an ECC Activation license is available. The optional activation license enables hardware-optimized ECC operation on nShield Solo HSMs.

    Database Security Option Pack

    Databases often contain an organization's most sensitive data. As a result, major database vendors have implemented native encryption in their database server products. The nShield Database Security Option Pack adds support for Microsoft’s Extensible Key Management (EKM) API. It enables organizations to better protect the keys that protect sensitive data in Microsoft SQL Server deployments using Transparent Data Encryption (TDE), manage keys across multiple databases and systems, and separate key management and database administration. More information >>

    Time Stamping Option Pack

    The Time Stamping Option Pack and optional Time Stamping Developer Software used with nShield Solo 500/500+ HSMs helps companies securely verify the times of important events for a variety of applications. For more information, please click here.

    payShield Cardholder Authentication for nShield

    To protect against credit card and online banking fraud, many financial institutions have implemented additional security measures for card-not-present transactions. payShield Cardholder Authentication for nShield complements other Thales payments products by enabling organizations to authenticate the cardholder through various means, such as Chip and PIN (CAP) for online banking transactions, and 3-D Secure, also known as Verified by Visa and MasterCard SecureCode. This option integrates with cardholder authentication solutions including ActivIdentity, Arcot, Bell ID and Gemalto.

    KCDSA Activation

    Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. The KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM. Thales recommends CodeSafe technology to organizations that wish to implement their own national algorithms on the protected HSM platform.


    Remote Administration

    Remote Administration lets you manage your HSMs—including adding applications, upgrading firmware, checking status, and more—from your location, and whenever you choose. Remote Administration lets you eliminate travel to data centers for routine HSM management, helping to cut costs and optimize your resources. Remote Administration helps you to:

    • Cut travel costs
    • Reduce downtime
    • Eliminate the risk of carrying cards to remote locations

    Remote Administration Kits, which enable the feature, contain one or more Trusted Verification Devices (TVDs) (secure, custom card readers), Remote Administration Cards (smart cards), and client software. Kits are sized and priced based on the number of HSMs in the estate. 

    More details available here.

    nShields front USB

    Smart Card Reader Rackmount

    For organizations deploying one or more nShield Solo modules in a 19" rack, the optional nShield Smart Card Reader Rackmount provides a practical and tidy solution to attach card readers in the data center. The nShield Smart Card Reader Rackmount is 1U in height and can be equipped with up to four smart card readers, which are shipped as standard with nShield Solo cards. Each unit is shipped with three blanking plates to cover any unused slots.

    Compatibility Overview

    Options Table

    * Only one of these CodeSafe applications can be run on a single HSM.

    nShield Solo Specifications

    Cryptographic algorithms supported:

    • Symmetric
      • AES (128, 192, and 256 bit)
      • Aria (128, 192, and 256 bit)
      • Camelia (128, 192, and 256 bit)
      • Triple DES (112, 168 bit)
    • Asymmetric
      • RSA (1024, 2048, 4096, 8192 bit)
      • Diffie-Hellman
      • DSA
      • ECC Suite B
    • Hashing
      • SHA-1, SHA-2 (224, 256, 384, and 512 bit)


    • FIPS 140-2 Level 2 and Level 3 (details on FIPS page)
      • Solo XC is FIPS-pending
    • Common Criteria EAL4+ (AVA_VAN.5)
      • Organismo di Certificazione della Sicurezza Informatica (OCSI) Italian certification, including recognition of Thales nShield HSMs as Secure Signature Creation Devices (SSCDs). Compliant to eIDAS Article 51.
    • UL, CE, FCC
    • RoHS, WEEE

    Operating systems supported:

    • Windows
    • Linux
    • Red Hat Linux Enterprise
    • Solaris
    • IBM AIX
    • HP-UX
    • AIX LPARs

    APIs supported:

    • PKCS#11
    • Open SSL
    • Java (JCE)
    • Microsoft CAPI and CNG

    Below is a non-exhaustive list of applications that utilize these APIs and have been tested by Thales partners and/or customers.

    • Aconite Affina
    • ActivIdentity Card Management System, 4Tress, Validations Authority
    • Apache
    • Axway Validation Authority
    • Bell ID Token Manager, EMV Data Preparation
    • CA Application Performance Manager
    • CyberArk Digital Vault
    • EfficientIP SolidServer
    • Entrust Authority Security Manager
    • IBM Tivoli Access Manager, Websphere
    • Imperva SecureSphere
    • Infoblox IPAM Appliance
    • Insta Certifier Certificate Authority
    • Intercede MyID
    • ISC BIND
    • Lieberman Software Enterprise Random Password Manager
    • Keynectis OpenTrust PKI
    • McAfee Iron Mail, Web Gateway
    • Microsoft Active Directory Federated Services (ADFS), Active Directory Certificate Services (ADCS), Forefront Identity Manager (FIM), Internet Services Accelerator (ISA), Rights Management Services (RMS), Internet Information Services (IIS), BizTalk Server, Authenticode, Hyper-V, SQL Server, Mediaroom
    • nuBridges Protect
    • PingIdentity PingFederate
    • Prime Factors EncryptRIGHT
    • PrimeKey EJBCA
    • Protegrity Data Security Platform
    • Red Hat Certificate System
    • Riverbed Stingray
    • RSA Certificate Manager, Data Protection Manager
    • Totemo Trustmail
    • Vasco Vacman
    • Verisec Hnossa
    • Voltage SecureData

    Environmental Conditions

    nshield solo specs


    solo new


    • Insta Certifier Certificate Authority

    nShield Solo Data Sheet

    Related Products