Entrust nShield HSM for SSL Decryption for Out-of-Band Tools

Required License: Included with SSL Decryption for Out-of-Band Tools

Starting in software version 5.3, Entrust nShield Hardware Security Module (HSM) is integrated with Passive SSL decryption. Hardware Security Modules offer secure storage, management, and operation of cryptographic material, such as private keys and passphrases. The HSM stores and manages the keys in a safe and secure environment. Since the keys reside on HSM in the network, they are offloaded from an application on a network device.

The application could be a web server or a database server, but, in the case of SSL decryption for out-of-band tools, the application is GigaSMART. The application interfaces with HSM to use the keys that are stored. There must be network connectivity between HSM and the application.

Keys are added to the HSM by an administrator. When an application’s key is on HSM, the HSM creates an application key token. The key token is sent to the application. When the application wants to use a key, the application sends the token to HSM, which establishes a session with HSM to use the key. In this way, the use of keys by the application is secure because only key tokens are exchanged.

You can use Remote File System (RFS), a component in HSM to store and manage encrypted keys. The RFS helps to automate the key distribution process. You can enable RFS on the GigaVUE‑OS device using GigaVUE‑FM so that the device can access the encrypted keys stored in RFS. You can synchronize RFS with GigaVUE‑OS device to perform a bulk download of the encrypted keys.

Entrust nShield HSM is supported on GigaVUE‑HC1, GigaVUE‑HC2, GigaVUE‑HC3 and Generation 3 GigaSMART card (SMT-HC1-S).