Data Security and Key Management - Thales e-Security

nShield Edge



nShield Edge

Secure, portable, and flexible USB-attached HSM

FIPS 140-2

nShield Edge from Thales e-Security is a USB-connected hardware security module (HSM) that enables organizations to implement high assurance cryptography in a cost-effective way. Portability and USB connectivity make nShield Edge especially suitable for use with laptops and in workstation or desktop environments. This compact yet full-featured HSM with its integrated smart card reader is perfectly suited to situations with limited space or where HSMs are used only occasionally. Fully supporting the Security World key management architecture, nShield Edge provides an ideal blend of high assurance and operational ease. This makes it easier for you to define and enforce security policies such as dual controls while also automating burdensome and risk-prone administrative tasks.

nShield Edge is fully compatible with the rest of the nShield HSM family, enabling mixed deployments and easy migration as performance requirements increase. This independently certified security platform performs key management and cryptographic operations such as encryption and digital signing on behalf of a wide range of commercial and custom-built business applications and critical security systems including offline certificate authorities (CAs) for public key infrastructures (PKIs), code signing, and remote HSM management. The security boundary of nShield Edge is certified up to FIPS 140-2 Level 3.

Benefits of nShield Edge

  • HSMs overcome the inherent vulnerabilities of software-based cryptography.
  • Powerful key management architecture minimizes operational costs including compliance reporting.
  • Small, portable form factor suits any deployment scenario.
  • Lowest cost platform drives business case for expanded use of HSMs.
  • Entry point or development tool for broader HSM deployment. 

nShield Edge Features

Security Features

The primary purpose of a hardware security module (HSM) is to provide enhanced security for cryptographic operations that would otherwise be performed by software applications, operating systems, or unprotected server hardware—the majority of which are vulnerable to eavesdropping, misconfiguration, or modification. This additional protection arises from the use of a number of proven technologies that combine in a multi-layered approach. Some of those technologies include:

Physical security measures

  • A dedicated, portable device that isolates cryptographic processes and keys from applications and host operating systems—accessible only through tightly controlled cryptographic APIs.
  • Custom built hardware to guard against physical attack including the use of epoxy potting to shield internal circuitry from attack by probing and security labels to expose attempts to tamper with the device.
  • Monitoring of environmental conditions including the integrity of power and temperature to detect potential attack.

Logical security measures

  • All administrators and users that directly access the HSM are strongly and individually authenticated using smart cards that are issued and managed by the HSM itself—avoiding the need to rely on weak and often shared passwords managed within other systems or exposed to other applications.
  • Clear separation of duties that distinguish between HSM administrators and key custodians that approve the use of HSM protected keys in contrast to software based systems where application ‘super-users’ or root level administrators might enjoy widespread entitlements.
  • Dual controls where multiple administrators or operators might be required to operate as a quorum to perform particularly sensitive tasks such as key recovery. This approach to mutual supervision is common as a way to minimize the threat of malicious insiders and is highly configurable and strongly enforced within the HSM. 

Operational Features

In the past, high-security features tended to be cumbersome, adding effort and affecting performance. As a result, administrators were forced to make unfortunate tradeoffs between security on the one hand and performance and efficiency on the other. The nShield family of HSMs, with its Security World key management architecture, delivers both security and convenience by automating a number of important key management tasks and removing restrictions that would otherwise limit capacity or performance. These include:

  • The power to utilize existing data backup, replication and file sharing practices to safely and automatically perform application key sharing, distribution, and back up—dramatically simplifying HSM deployment and management tasks by minimizing the need to establish costly HSM specific practices.
  • Standard application interfaces to support the widest range of applications and systems and an extensive pre-testing program with leading application vendors to minimize deployment risk.
  • Unlimited capacity for protected key storage, increasing overall scalability.
  • Back up techniques that avoid the need to archive keys in dedicated hardware or costly backup HSMs.
  • Convenient USB interface that supports a wide variety of host platforms including laptops and other portable devices.

nShield Edge Options 



The nShield Edge is available in FIPS 140-2 Level 2 and FIPS 140-2 Level 3 variants.  A non-FIPS Developer Edition is also offered, providing a low-cost mechanism for engineers to develop applications that will ultimately be deployed on FIPS-certified nShield Solo or Connect devices, and where the higher performance of those devices is not required in a development environment.

CipherTools Developer Toolkit

With the CipherTools Developer Toolkit, you can take full advantage of the advanced capabilities offered by the nShield HSM family as you integrate HSMs with your applications. It includes detailed tutorials and reference documentation, sample programs written in a range of high level languages, and additional versions of libraries to expand capabilities for integration with business applications beyond those that can be achieved by the standard application program interfaces (APIs).

Elliptic Curve Cryptography (ECC) Activation

nShield HSMs offer a large number of cryptographic algorithms as part of the standard feature set, including AES, DSA and RSA. Organizations who want to take advantage of the next-generation elliptic curve algorithms can enhance their HSMs by adding the Elliptic Curve (ECC) Activation. While all nShield HSMs can process elliptic curve cryptography with this option pack, users of the nShield 500 PCI cards will additionally benefit from hardware acceleration.

Remote Operator

HSMs typically run in physically secure, lights-out data centers, often in several redundant sites. Many organizations therefore find it impractical to gain physical access to the HSM for day-to-day operations. Remote Operator saves time and reduces travel costs by enabling users to present credentials to a remote HSM in a secure manner directly from their workstation.

KCDSA Activation

Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM. 

Compatibility Overview

nShield Solo FIPS 140-2 Level 2 nShield Solo FIPS 140-2 Level 3 nShield Edge netHSM (legacy) nShield Connect
CipherTools Developer Software O O O O O
CodeSafe / SEE Activation* O O O
Database Security Option Pack O O   O O
payShield Cardholder Authentication for nShield * O O O
payShield Key Loading Device  O O O
Time Stamping Option Pack* O
Time Stamping Developer Software O
Remote Operator Activation O O O O O
Elliptic Curve (ECC) Activation O O O O O
KCDSA Activation O O O O O
nShield Smart Card Reader Rackmount O O
Additional Client License O O
nToken  O O
Replacement PSU for nShield Connect O
Replacement Fan Tray for nShield Connect O
Keyboard for nShield Connect O
Slide rails for nShield Connect O

S = standard; O = optional

*No more than one of these CodeSafe applications can be run on a single HSM.

nShield Edge Specifications

Cryptographic algorithms supported:

  • Symmetric
    • AES (128, 192, and 256 bit)
    • Aria (128, 192, and 256 bit)
    • Camelia (128, 192, and 256 bit)
    • Triple DES (112, 168 bit)
  • Asymmetric
    • RSA (1024, 2048, 4096, 8192 bit)
    • Diffie-Hellmann
    • DSA
    • ECC Suite B
  • Hashing
    • SHA-1, SHA-2 (224, 256, 384, and 512 bit)


  • FIPS 140-2 Level 2 and 3
  • UL, CE, FCC
  • RoHS, WEEE

Operating systems supported:

  • Windows

APIs supported:

  • PKCS#11
  • Open SSL
  • JAVA (JCE)
  • Microsoft CAPI and CNG

Below is a non-exhaustive list of applications that utilize these APIs and have been tested by Thales partners and/or customers.

  • Aconite Affina
  • ActivIdentity Card Management System, 4Tress, Validations Authority
  • Apache
  • Axway Validation Authority
  • Bell ID Token Manager, EMV Data Preparation
  • CA Application Performance Manager
  • CyberArk Digital Vault
  • EfficientIP SolidServer
  • Entrust Authority Security Manager
  • IBM Tivoli Access Manager, Websphere
  • Imperva SecureSphere
  • Infoblox IPAM Appliance
  • Insta Certifier Certificate Authority
  • Intercede MyID
  • Lieberman Software Enterprise Random Password Manager
  • Keynectis OpenTrust PKI
  • McAfee Iron Mail, Web Gateway
  • Microsoft Active Directory Federated Services (ADFS), Active Directory Certificate Services (ADCS), Forefront Identity Manager (FIM), Internet Services Accelerator (ISA), Rights Management Services (RMS), Internet Information Services (IIS), BizTalk Server, Authenticode, Hyper-V, SQL Server, Mediaroom
  • nuBridges Protect
  • PingIdentity PingFederate
  • Prime Factors EncryptRIGHT
  • PrimeKey EJBCA
  • Protegrity Data Security Platform
  • Red Hat Certificate System
  • Riverbed Stingray
  • RSA Certificate Manager, Data Protection Manager
  • Totemo Trustmail
  • Vasco Vacman
  • Verisec Hnossa
  • Voltage SecureData

nShield Edge Data Sheet

Related Products