Entrust datacenters
In the cloud-based Entrust data centers, the multi-tenant signing key management selects the nShield HSM that will:
Generate and wrap the keys when processing key generation requests.
Unwrap the signing key of the signing key database and sign a document hash when processing a signature request.
nShield HSMs are FIPS 140-2 L3 compliant devices for:
Generating and wrapping the keys stored in the signing key database.
Unwrapping the signing keys.
Signing document hashes with the unwrapped keys.
The Entrust data centers never access the documents to be signed because generating a digital signature only requires the document hash.