HSM Key Management for Entrust nShield

  • Updated on Jul 9, 2025
  • 1 minute(s) read
Prev Next

Thank you for reading the Authentication Suite Server SDK for HSM Key Management Guide for Entrust nShield.

The OneSpan authentication technology relies on the fact that OneSpan customers share certain secrets with their end users. OneSpan provides the customer with these secrets in the form of a DPX file. The customer stores the secrets as a collection of Digipass BLOBs.

A fundamental security requirement is that the secrets shared between customers and end users remain secret. This means that the secrets have to be protected at all times, including the transport of the DPX file and storage of the authenticator application BLOB. The protection of the DPX files and authenticator application BLOBs is based on cryptographic operations with keys, which need to be protected as well.

OneSpan supports different key management options, with different levels of security. This document focuses on key management using the Entrust nShield hardware security module (HSM). More specifically, it describes how to use these HSMs to safely manage the keys that are used to protect DPX files and Digipass application BLOBs.

This document provides information about:

  • Protection mechanisms for DPX files and Digipass application BLOBs
  • The keys involved in the protection mechanisms
  • OneSpan key management tool

This document does not provide:

This document assumes that you have thorough knowledge of the following products:

  • Authentication Suite Server SDK for HSM
  • Entrust nShield hardware security module
  • Entrust nShield software packages: Entrust CipherTools/Entrust CodeSafe toolkit

As of version 4.0, OneSpan Authentication Server Framework has been renamed to Authentication Suite Server SDK. If not explicitly stated otherwise, any information and references to OneSpan Authentication Server Framework or VACMAN Controller also apply to Authentication Suite Server SDK.