Data Security and Key Management - Thales e-Security

nShield Edge



nShield Edge

Secure, portable, and flexible USB-attached HSM

FIPS 140-2

nShield Edge from Thales e-Security is a USB-connected HSM that enables organizations to implement high assurance cryptography cost-effectively. Portability and USB connectivity make nShield Edge especially suitable for use with laptops, workstations or desktops. This compact yet full-featured HSM with its integrated smart card reader is perfectly suited to situations with limited space or where HSMs are used only occasionally.

Fully supporting the Thales Security World architecture, nShield Edge provides an ideal combination of high assurance and operational ease. This makes it easier for you to define and enforce security policies, such as access control and separation of duties, while also automating burdensome and risk-prone administrative tasks including back-ups and compliance reporting.

nShield Connect is fully compatible with the rest of the nShield HSM family, enabling mixed deployments and easy expansion as performance requirements increase. This independently certified security platform performs key management and cryptographic operations such as encryption and digital signing on behalf of a wide range of commercial and custom-built business applications and critical security systems including offline certificate authorities (CAs) for public key infrastructures (PKIs), code signing, and remote HSM management. The security boundary of nShield Edge is certified up to FIPS 140-2 Level 3.

Benefits of nShield Edge

  • Small, portable form factor suits any deployment scenario
  • Convenient tool for use in a development environment
  • Economic, fully scalable entry point for HSM deployment

nShield Edge Features

Security Features

nShield HSMs and the Thales Security World architecture combine a number of technologies to provide multi-layered security as follows:

Physical security

  • A dedicated, portable device that isolates cryptographic processes and keys from applications and host operating systems—accessible only through tightly controlled cryptographic APIs.
  • Guard against tampering using specialty materials
  • Detect attack attempts by monitoring hardware

Logical security

  • Users authenticated using smart cards, avoiding reliance on weak and often shared passwords
  • Clear separation of duties distinguish between administrators and key custodians in contrast to software based systems where application super-users or root-level administrators might enjoy widespread entitlements
  • Minimize the threat of malicious insiders by requiring administrators to present smart cards as a quorum to perform particularly sensitive tasks such as key recovery. Highly configurable and strongly enforced within the HSM.

Operational Features

The nShield family of HSMs and the Thales Security World architecture deliver both security and convenience by automating important key management tasks, including:

  • The power to extend the organization’s existing data backup, replication and file sharing practices to include application keys—dramatically simplifying HSM management and minimizing costly HSM-specific practices
  • Wide range of standard application interfaces coupled with an extensive pre-testing program with leading application vendors minimizes deployment risk
  • Unlimited key storage capacity offers high scalability
  • Back-up methods avoid the need to archive keys in dedicated hardware or costly backup HSMs
  • Convenient USB interface that supports a wide variety of host platforms including laptops and other portable devices.

nShield Edge Options 



The nShield Edge is available in FIPS 140-2 Level 2 and Level 3 variants.  A non-FIPS Developer Edition is also offered, providing a low-cost mechanism for engineers to develop applications that will ultimately be deployed on FIPS-certified nShield Solo or Connect devices, and where the higher performance of those devices is not required in a development environment.

CipherTools Developer Toolkit

Using the CipherTools Developer Toolkit, developers take full advantage of the advanced integration capabilities available for the nShield HSM family when applying custom applications. The Toolkit includes detailed tutorials, reference documentation, sample programs written in a range of high level languages, and additional libraries to expand capabilities for integration with applications beyond those that can be achieved by the standard application program interfaces (APIs).

Elliptic Curve Cryptography (ECC) Activation

nShield HSMs offer a large number of cryptographic algorithms as part of the standard feature set, including AES, DSA and RSA. Organizations who want to take advantage of the next-generation elliptic curve algorithms can enhance their HSMs by adding the ECC Activation. While all nShield HSMs can process elliptic curve cryptography with this option pack, users of the nShield 500 PCI cards will additionally benefit from hardware acceleration.

KCDSA Activation

Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. The KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM. Thales recommends CodeSafe technology to organizations that wish to implement their own national algorithms on the protected HSM platform.

Compatibility Overview

Options Table

* Only one of these CodeSafe applications can be run on a single HSM.

nShield Edge Specifications

Cryptographic algorithms supported:

  • Symmetric
    • AES (128, 192, and 256 bit)
    • Aria (128, 192, and 256 bit)
    • Camelia (128, 192, and 256 bit)
    • Triple DES (112, 168 bit)
  • Asymmetric
    • RSA (1024, 2048, 4096, 8192 bit)
    • Diffie-Hellman
    • DSA
    • ECC Suite B
  • Hashing
    • SHA-1, SHA-2 (224, 256, 384, and 512 bit)


  • FIPS 140-2 Level 2 and 3
  • UL, CE, FCC
  • RoHS, WEEE

Operating systems supported:

  • Windows

APIs supported:

  • PKCS#11
  • Open SSL
  • JAVA (JCE)
  • Microsoft CAPI and CNG
  • Below is a non-exhaustive list of applications that utilize these APIs and have been tested by Thales partners and/or customers.
  • Aconite Affina
  • ActivIdentity Card Management System, 4Tress, Validations Authority
  • Apache
  • Axway Validation Authority
  • Bell ID Token Manager, EMV Data Preparation
  • CA Application Performance Manager
  • CyberArk Digital Vault
  • EfficientIP SolidServer
  • Entrust Authority Security Manager
  • IBM Tivoli Access Manager, Websphere
  • Imperva SecureSphere
  • Infoblox IPAM Appliance
  • Insta Certifier Certificate Authority
  • Intercede MyID
  • Lieberman Software Enterprise Random Password Manager
  • Keynectis OpenTrust PKI
  • McAfee Iron Mail, Web Gateway
  • Microsoft Active Directory Federated Services (ADFS), Active Directory Certificate Services (ADCS), Forefront Identity Manager (FIM), Internet Services Accelerator (ISA), Rights Management Services (RMS), Internet Information Services (IIS), BizTalk Server, Authenticode, Hyper-V, SQL Server, Mediaroom
  • nuBridges Protect
  • PingIdentity PingFederate
  • Prime Factors EncryptRIGHT
  • PrimeKey EJBCA
  • Protegrity Data Security Platform
  • Red Hat Certificate System
  • Riverbed Stingray
  • RSA Certificate Manager, Data Protection Manager
  • Totemo Trustmail
  • Vasco Vacman
  • Verisec Hnossa
  • Voltage SecureData

nShield Edge Data Sheet

Related Products