Data Security and Key Management - Thales e-Security

nShield Connect XC & Connect

nShield Connect

nShield Connect Series

Connect+ model and
Connect XC

Network Attached HSMs

The nShield Connect series, including the Connect+ and new Connect XC models, delivers cryptographic services as a shared network resource for distributed applications and virtual machines, giving organizations a highly secure solution for establishing physical and logical controls for server-based systems. Fully supporting the Thales Security World architecture, the Connect series provides an ideal combination of high assurance and operational ease. This makes it easier for you to define and enforce security policies, such as access control and separation of duties, while also automating burdensome and risk-prone administrative tasks including back-ups and compliance reporting.

The nShield Connect series is fully compatible with the entire nShield HSM family, enabling mixed deployments and easy expansion as performance requirements increase. To meet your needs for versatility, nShield Connect is available in various performance models, including the Connect XC’s most accelerated model to date, supporting best-in-class elliptical curve cryptography (ECC) transaction rates. And helping customers protect powerful, mission-critical custom algorithms within the secure boundaries of the HSM, the Connect XC series expands CodeSafe, nShield’s unique run-time environment.

The nShield Connect+ is certified to FIPS 140-2 Level 3 and the Connect XC model is FIPS-pending.

Benefits of nShield Connect HSMs

    bullet Support high volume, enterprise transactions with accelerated transaction rates

    bullet Spacious run-time environment protects powerful custom apps within HSM

    bullet Flexible architecture simplifies scaling as security needs expand


nShield Connect Features

Security Features

nShield HSMs and the Thales Security World architecture combine a number of technologies to provide multi-layered security as follows:

Physical security

  • A dedicated appliance that isolates cryptographic processes and keys from applications and host operating systems—accessible only through tightly controlled cryptographic APIs.
  • Protect execution of custom, security-critical applications within the HSM boundary (CodeSafe option)
  • Guard against tampering using specialty materials
  • Detect attack attempts by monitoring hardware
  • Client authentication prevents impersonation (nToken accessory)

Logical security

  • Users authenticated using smart cards, avoiding reliance on weak and often shared passwords
  • Clear separation of duties distinguish between administrators and key custodians in contrast to software based systems where application super-users or root-level administrators might enjoy widespread entitlements
  • Minimize the threat of malicious insiders by requiring administrators to present smart cards as a quorum to perform particularly sensitive tasks such as key recovery. Highly configurable and strongly enforced within the HSM.
  • Integrity validation and policy enforcement for nShield-protected applications (CodeSafe option)

Operational Features

The nShield family of HSMs and the Thales Security World architecture deliver both security and convenience by automating important key management tasks, including:

  • The power to extend the organization’s existing data backup, replication and file sharing practices to include application keys—dramatically simplifying HSM management and minimizing costly HSM-specific practices
  • Remote Administration cuts costs by letting administrators and operators manage distantly deployed HSMs from their local office
  • Wide range of standard application interfaces coupled with an extensive pre-testing program with leading application vendors minimizes deployment risk
  • Boost performance and optimize client machine capacity through cryptographic acceleration and by off-loading resource-intensive operations
  • Unlimited key storage capacity offers high scalability
  • Back-up methods avoid the need to archive keys in dedicated hardware or costly backup HSMs
  • High availability and uptime through fault-tolerant chassis design and dual hot-swap power supplies and redundant field-serviceable fans
  • Combine multiple HSMs to create a highly resilient network for load balancing and failover


nShield Connect Options & Accessories


Developer Software & Options


Developer Software & Options

Performance Ratings

nShield Connect is available in multiple performance variants as follows:

  • FIPS-pending Connect XC models: XC Base, XC Mid, and XC High
  • FIPS-certified Connect+ models: 500+, 1500+, and 6000+

Please consult the nShield Connect data sheet for performance data.

Client Licenses

Each nShield Connect ships with three client licenses. Additional licenses are available for purchase. The maximum number of client licenses supported vary by Connect model as shown in the tables below.  Additionally, nTokens are an available accessory for authenticating HSM clients.

nShield Connect Table


CodeSafe enables developers to execute applications within the nShield HSM, protecting them from threats such as insider attacks, malware, and Trojans that they would be vulnerable to on typical server platforms. CodeSafe provides a “sand box” where code can be validated for integrity—ideal for applications residing in untrusted locations. CodeSafe provides fine-grained access control for security-critical resources that are protected on the device, such as private keys and non-volatile user memory. Sample applications include digital meters, authentication agents, time-stamp engines, audit loggers, digital signature agents, and custom encryption processes. CodeSafe is available for all nShield FIPS 140-2 Level 3 certified HSMs excluding the nShield Edge.


CipherTools Developer Toolkit 

Using the CipherTools Developer Toolkit, developers take full advantage of the advanced integration capabilities available for the nShield HSM family when applying custom applications. The Toolkit includes detailed tutorials, reference documentation, sample programs written in a range of high level languages, and additional libraries to expand capabilities for integration with applications beyond those that can be achieved by the standard application program interfaces (APIs).

Elliptic Curve Cryptography (ECC) Activation

nShield HSMs offer a wide variety of cryptographic algorithms, including AES, DSA and RSA, as part of the standard feature set. For organizations wishing to use ECC, an ECC Activation license is available. The optional activation license enables hardware-optimized ECC operation on nShield Connect HSMs.

Database Security Option Pack

Databases often contain an organization's most sensitive data. As a result, major database vendors have implemented native encryption in their database server products. The nShield Database Security Option Pack adds support for Microsoft’s Extensible Key Management (EKM) API. It enables organizations to better protect the keys that protect sensitive data in Microsoft SQL Server deployments using Transparent Data Encryption (TDE), manage keys across multiple databases and systems, and separate key management and database administration. More information >>

payShield Cardholder Authentication for nShield

To protect against credit card and online banking fraud, many financial institutions have implemented additional security measures for card-not-present transactions. payShield Cardholder Authentication for nShield complements other Thales payments products by enabling organizations to authenticate the cardholder through various means, such as Chip and PIN (CAP) for online banking transactions, and 3-D Secure, also known as Verified by Visa and MasterCard SecureCode. This option integrates with cardholder authentication solutions including ActivIdentity, Arcot, Bell ID and Gemalto.

KCDSA Activation

Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. The KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM. Thales recommends CodeSafe technology to organizations that wish to implement their own national algorithms on the protected HSM platform.


Remote Administration Kits

Remote Administration lets you manage your HSMs—including adding applications, upgrading firmware, checking status, and more—from your location, and whenever you choose. Remote Administration lets you eliminate travel to data centers for routine HSM management, helping to cut costs and optimize your resources. Remote Administration helps you to:

  • Cut travel costs
  • Reduce downtime
  • Eliminate the risk of carrying cards to remote locations

Remote Administration Kits, which enable the feature, contain one or more Trusted Verification Devices (TVDs) (secure, custom card readers), Remote Administration Cards (smart cards), and client software. Kits are sized and priced based on the number of HSMs in the estate.

More details available here.


For organizations wishing to enhance security for their nShield Connect HSM clients, nTokens are PCI or PCI Express (PCIe) cards that enable client authentication to deter impersonation. Thales offers bundles of three nTokens, as well as individual nTokens. PCI variants are full-height and PCI Express variants are low-profile cards. nTokens are not compatible with virtual servers.

Thales nToken

Replacement Power Supply Unit (PSU)

nShield Connect features dual, hot-swap power supplies. Thales PSUs enable you to replace failed parts without downtime.

Replacement Fan Tray

nShield Connect features redundant, field-replaceable fans. Thales replacement fan trays enable you to replace failed parts without downtime.


While many functions of nShield Connect can be carried out easily with the touch wheel at the front of the unit, operators may prefer using a keyboard. Thales offers an optional USB keyboard. Because the keyboard is typically only used for few operations, one keyboard per data center site is generally sufficient.

nShield Connect 6000 accessories include slide rails, smart cards, and an optional USB keyboard

Slide Rails

To mount nShield Connect in a 19" rack without a shelf, Thales offers optional slide rails to be fitted with nShield Connect. These enable easier hardware installation and allow you to use server racks more densely. Thales recommends that customers use these slide rails exclusively because parts from other manufacturers may not be compatible. The slide rails are always sold as a pair, i.e. ordering one unit of this part code will include two slide rails, sufficient to mount one nShield Connect module.

Compatibility Overview

Options Table

* Only one of these CodeSafe applications can be run on a single HSM.

nShield Connect Specifications

Cryptographic algorithms supported:

  • Symmetric
    • AES (128, 192, and 256 bit)
    • Aria (128, 192, and 256 bit)
    • Camelia (128, 192, and 256 bit)
    • Triple DES (112, 168 bit)
  • Asymmetric
    • RSA (1024, 2048, 4096, 8192 bit)
    • Diffie-Hellman
    • DSA
    • ECC Suite B
  • Hashing
    • SHA-1, SHA-2 (224, 256, 384, and 512 bit)


  • FIPS 140-2 Level 3 (details on FIPS page)
    • Connect XC is FIPS-pending
  • Common Criteria EAL4+ (AVA_VAN.5)
    • Organismo di Certificazione della Sicurezza Informatica (OCSI) Italian certification, including recognition of Thales nShield HSMs as Secure Signature Creation Devices (SSCDs). Compliant to eIDAS Article 51.
  • UL, CE, FCC
  • RoHS, WEEE

Operating systems supported:

  • Windows
  • Linux
  • Red Hat Enterprise Linux
  • Solaris
  • HP-UX
  • VMware
  • Hyper-V

APIs supported:

  • PKCS#11
  • Open SSL
  • Java (JCE)
  • Microsoft CAPI and CNG
Below is a non-exhaustive list of applications that utilize these APIs and have been tested by Thales, our partners, and/or our mutual customers.
  • Aconite Affina
  • ActivIdentity Card Management System, 4Tress, Validations Authority
  • Apache
  • Axway Validation Authority
  • Bell ID Token Manager, EMV Data Preparation
  • CA Application Performance Manager
  • CyberArk Digital Vault
  • EfficientIP SolidServer
  • Entrust Authority Security Manager
  • IBM Tivoli Access Manager, Websphere
  • Imperva SecureSphere
  • Infoblox IPAM Appliance
  • Insta Certifier Certificate Authority
  • Intercede MyID
  • Lieberman Software Enterprise Random Password Manager
  • Keynectis OpenTrust PKI
  • McAfee Iron Mail, Web Gateway
  • Microsoft Active Directory Federated Services (ADFS), Active Directory Certificate Services (ADCS), Forefront Identity Manager (FIM), Internet Services Accelerator (ISA), Rights Management Services (RMS), Internet Information Services (IIS), BizTalk Server, Authenticode, Hyper-V, SQL Server, Mediaroom
  • nuBridges Protect
  • PingIdentity PingFederate
  • Prime Factors EncryptRIGHT
  • PrimeKey EJBCA
  • Protegrity Data Security Platform
  • Red Hat Certificate System
  • Riverbed Stingray
  • RSA Certificate Manager, Data Protection Manager
  • Totemo Trustmail
  • Vasco Vacman
  • Verisec Hnossa
  • Voltage SecureData

Environmental Conditions

nShield Connect Environmental


nshield specs 

nShield Connect Data Sheet

Related Products