In the cloud-based Entrust data centers, the multi-tenant signing key management selects the nShield HSM that will:
- Generate and wrap the keys when processing key generation requests.
- Unwrap the signing key of the signing key database and sign a document hash when processing a signature request.
nShield HSMs are FIPS 140-2 L3 compliant devices for:
- Generating and wrapping the keys stored in the signing key database.
- Unwrapping the signing keys.
- Signing document hashes with the unwrapped keys.
The Entrust data centers never access the documents to be signed because generating a digital signature only requires the document hash.