Data Security and Key Management - Thales e-Security

nShield Solo+

nShield Solo

nShield Solo+

Server-Embedded HSM

FIPS 140-2   

nShield Solo is a high-assurance security solution delivered as a PCIe card designed for embedding in stand-alone servers or appliances. This nShield HSM delivers dedicated cryptographic offload and acceleration capability to satisfy the highest performance requirements. nShield Solo is ideal for use within security appliances to achieve FIPS-grade security hardening.

Fully supporting the Thales Security World architecture, nShield Solo provides an ideal combination of high assurance and operational ease. This makes it easier for you to define and enforce security policies, such as access control and separation of duties, while also automating burdensome and risk-prone administrative tasks including back-ups and compliance reporting.

nShield Solo is fully compatible with the rest of the nShield HSM family, enabling mixed deployments and easy expansion as performance requirements increase. To meet your needs for versatility, nShield Solo is available in various performance models, including world class elliptical curve cryptography (ECC) transaction rates.

Benefits of nShield Solo

  • Embedded form factor for dedicated performance enhancement
  • Isolates critical security functions and minimizes IT interdependencies
  • Provides FIPS 140-2 certification for appliance vendors with high assurance requirements

    nShield Solo Features

    Security Features  

    nShield HSMs and the Thales Security World architecture combine a number of technologies to provide multi-layered security as follows:

    Physical security

    • A dedicated, card based security module that isolates cryptographic processes and keys from applications and host operating systems – accessible only through tightly controlled cryptographic APIs.
    • Protect execution of custom, security-critical applications within the HSM boundary (CodeSafe option)
    • Guard against tampering using specialty materials
    • Detect attack attempts by monitoring hardware

    Logical security

    • Users authenticated using smart cards, avoiding reliance on weak and often shared passwords
    • Clear separation of duties distinguish between administrators and key custodians in contrast to software based systems where application super-users or root-level administrators might enjoy widespread entitlements
    • Minimize the threat of malicious insiders by requiring administrators to present smart cards as a quorum to perform particularly sensitive tasks such as key recovery. Highly configurable and strongly enforced within the HSM.
    • Integrity validation and policy enforcement for nShield-protected applications (CodeSafe option)

    Operational Features

    The nShield family of HSMs and the Thales Security World architecture deliver both security and convenience by automating important key management tasks, including:

    • The power to extend the organization’s existing data backup, replication and file sharing practices to include application keys—dramatically simplifying HSM management and minimizing costly HSM-specific practices
    • Remote Administration cuts costs by letting administrators and operators manage distantly deployed HSMs from their local office
    • Wide range of standard application interfaces coupled with an extensive pre-testing program with leading application vendors minimizes deployment risk
    • Boost performance and optimize client machine capacity through cryptographic acceleration and by off-loading resource-intensive operations
    • Unlimited key storage capacity offers high scalability
    • Back-up methods avoid the need to archive keys in dedicated hardware or costly backup HSMs
    • Combine multiple HSMs to create a highly resilient network for load balancing and failover

    nShield Solo Options and Accessories


    Developer Software & Options


    Developer Software & Options

    Performance Ratings

    The nShield Solo is available in multiple performance variants: the 500+, 2000+, 4000+, and 6000+, which indicate signing transactions per second for 1024 bit RSA. Please consult the nShield Solo data sheet for additional performance data.


    The nShield Solo is available in FIPS 140-2 Level 2 and Level 3 variants.

    CipherTools Developer Toolkit

    Using the CipherTools Developer Toolkit, developers take full advantage of the advanced integration capabilities available for the nShield HSM family when applying custom applications. The Toolkit includes detailed tutorials, reference documentation, sample programs written in a range of high level languages, and additional libraries to expand capabilities for integration with applications beyond those that can be achieved by the standard application program interfaces (APIs).


    CodeSafe enables developers to execute applications within the nShield HSM, protecting them from threats such as insider attacks, malware, and Trojans that they would be vulnerable to on typical server platforms. CodeSafe provides a “sand box” where code can be validated for integrity—ideal for applications residing in untrusted locations. CodeSafe provides fine-grained access control for security-critical resources that are protected on the device, such as private keys and non-volatile user memory. Sample applications include digital meters, authentication agents, time-stamp engines, audit loggers, digital signature agents, and custom encryption processes. CodeSafe is available for all nShield FIPS 140-2 Level 3 certified HSMs excluding the nShield Edge.


    Elliptic Curve Cryptography (ECC) Activation

    nShield HSMs offer a large number of cryptographic algorithms as part of the standard feature set, including AES, DSA and RSA. For organizations wishing to use ECC, an ECC Activation license is available. The optional activation license enables hardware-optimized ECC operation on nShield Solo 500+ and 6000+ models.

    Database Security Option Pack

    Databases often contain an organization's most sensitive data. As a result, major database vendors have implemented native encryption in their database server products. The nShield Database Security Option Pack adds support for Microsoft’s Extensible Key Management (EKM) API. It enables organizations to better protect the keys that protect sensitive data in Microsoft SQL Server deployments using Transparent Data Encryption (TDE), manage keys across multiple databases and systems, and separate key management and database administration. More information >>

    Time Stamp Option Pack

    Secure time stamps help organizations verify that certain data existed at a certain point in time and has not been manipulated since that time. This is critical for applications including digital archives, public key infrastructures, code signing, notary services, patent applications, lottery, as well as betting and gaming. The Time Stamp Server from Thales is a turnkey solution for organizations that want a ready-to-use time stamping solution. For organizations looking for an OEM solution or who want to combine time stamping with other HSM functionality, the Time Stamp Option Pack enhances nShield Solo 500 to support standardized time stamps. The Time Stamp Option Pack is available for nShield Solo FIPS 140-2 Level 3 certified HSMs only (not for nShield Solo FIPS 140-2 Level 2 certified HSMs). Organizations looking to add time-stamping features in custom applications can benefit from the Time Stamping Developer Software.


    payShield Cardholder Authentication for nShield

    To protect against credit card and online banking fraud, many financial institutions have implemented additional security measures for card-not-present transactions. payShield Cardholder Authentication for nShield complements other Thales payments products by enabling organizations to authenticate the cardholder through various means, such as Chip and PIN (CAP) for online banking transactions, and 3-D Secure, also known as Verified by Visa and MasterCard SecureCode. This option integrates with cardholder authentication solutions including ActivIdentity, Arcot, Bell ID and Gemalto. Organizations with advanced requirements can also use the payShield Developer Software to produce customer solutions.


    HSMs typically run in physically secure, lights-out data centers, often in several, redundant sites. Many organizations therefore find it impractical to gain physical access to the HSM for day-to-day operations. Remote Operator saves time and reduces travel costs by enabling users to present credentials to a remote HSM in a secure manner directly from their workstation.

    KCDSA Activation

    Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. The KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM. Thales recommends CodeSafe technology to organizations that wish to implement their own national algorithms on the protected HSM platform.


    Remote Administration

    Remote Administration lets you manage your HSMs—including adding applications, upgrading firmware, checking status, and more—from your location, and whenever you choose. Remote Administration lets you eliminate travel to data centers for routine HSM management, helping to cut costs and optimize your resources. Remote Administration helps you to:

    • Cut travel costs
    • Reduce downtime
    • Eliminate the risk of carrying cards to remote locations

    Remote Administration Kits, which enable the feature, contain one or more Trusted Verification Devices (TVDs) (secure, custom card readers), Remote Administration Cards (smart cards), and client software. Kits are sized and priced based on the number of HSMs in the estate. 

    More details available here.

    nShields front USB

    Smart Card Reader Rackmount

    For organizations deploying one or more nShield Solo modules in a 19" rack, the optional nShield Smart Card Reader Rackmount provides a practical and tidy solution to attach card readers in the data center. The nShield Smart Card Reader Rackmount is 1U in height and can be equipped with up to four smart card readers, which are shipped as standard with nShield Solo cards. Each unit is shipped with three blanking plates to cover any unused slots.

    Compatibility Overview

    compatibility overview

    * Only one of these CodeSafe applications can be run on a single HSM.

    nShield Solo Specifications

    Cryptographic algorithms supported:

    • Symmetric
    • AES (128, 192, and 256 bit)
    • Aria (128, 192, and 256 bit)
    • Camelia (128, 192, and 256 bit)
    • Triple DES (112, 168 bit)
    • Asymmetric
    • RSA (1024, 2048, 4096, 8192 bit)
    • Diffie-Hellman
    • DSA
    • ECC Suite B
    • Hashing
    • SHA-1, SHA-2 (224, 256, 384, and 512 bit)


    • FIPS 140-2 Level 3
    • UL, CE, FCC
    • RoHS, WEEE

    Operating systems supported:

    • Windows
    • Linux
    • Red Hat Linux Enterprise
    • Solaris
    • IBM AIX
    • HP-UX
    • AIX LPARs

    APIs supported:

    • PKCS#11
    • Open SSL
    • Java (JCE)
    • Microsoft CAPI and CNG

    Below is a non-exhaustive list of applications that utilize these APIs and have been tested by Thales partners and/or customers.

    • Aconite Affina
    • ActivIdentity Card Management System, 4Tress, Validations Authority
    • Apache
    • Axway Validation Authority
    • Bell ID Token Manager, EMV Data Preparation
    • CA Application Performance Manager
    • CyberArk Digital Vault
    • EfficientIP SolidServer
    • Entrust Authority Security Manager
    • IBM Tivoli Access Manager, Websphere
    • Imperva SecureSphere
    • Infoblox IPAM Appliance
    • Insta Certifier Certificate Authority
    • Intercede MyID
    • ISC BIND
    • Lieberman Software Enterprise Random Password Manager
    • Keynectis OpenTrust PKI
    • McAfee Iron Mail, Web Gateway
    • Microsoft Active Directory Federated Services (ADFS), Active Directory Certificate Services (ADCS), Forefront Identity Manager (FIM), Internet Services Accelerator (ISA), Rights Management Services (RMS), Internet Information Services (IIS), BizTalk Server, Authenticode, Hyper-V, SQL Server, Mediaroom
    • nuBridges Protect
    • PingIdentity PingFederate
    • Prime Factors EncryptRIGHT
    • PrimeKey EJBCA
    • Protegrity Data Security Platform
    • Red Hat Certificate System
    • Riverbed Stingray
    • RSA Certificate Manager, Data Protection Manager
    • Totemo Trustmail
    • Vasco Vacman
    • Verisec Hnossa
    • Voltage SecureData

    • Insta Certifier Certificate Authority

    nShield Solo Data Sheet

    Related Products