Expand description
Entrust nShield HSM provider.
The Entrust nShield HSM family (formerly nCipher) provides hardware-backed cryptographic operations with support for Security Worlds and OCS card sets.
§Platform-specific Library Paths
- Linux:
/opt/nfast/toolkits/pkcs11/libcknfast.so - macOS:
/opt/nfast/toolkits/pkcs11/libcknfast.dylib - Windows:
C:\Program Files\nCipher\nfast\toolkits\pkcs11\cknfast.dll
§Security World and OCS
nShield HSMs use a “Security World” model where keys are protected by:
- Administrator Card Sets (ACS) - for initial setup
- Operator Card Sets (OCS) - for routine key access
The PKCS#11 interface requires OCS cards to be presented before accessing protected keys. In automated environments, this is typically handled via:
- Softcards (passphrase-protected software OCS)
- Remote Operator (network-based OCS)
- Preload (OCS loaded during system boot)
§Mechanism Support
nShield supports all standard PKCS#11 mechanisms including:
- RSA signing and encryption (PKCS#1 v1.5, PSS, OAEP)
- ECDSA signing (P-256, P-384, P-521)
- AES Key Wrap (CKM_AES_KEY_WRAP) via nCore
Note: Some mechanisms may require specific firmware versions or nCore modules.
Functions§
- default_
library_ path - Default PKCS#11 library path for Linux.
- provider_
config - Get the default provider configuration for Entrust nShield.
- supported_
mechanisms - Mechanisms supported by nShield HSMs.