Skip to main content

Company Description

Microsoft strives to produce innovative products and services that meet customers' evolving needs. Entrust nShield HSMs are certified to support a wide range of Microsoft security solutions and deliver the industry’s most operationally efficient key management framework.

Entrust enables Microsoft customers to utilize cryptographic security to enhance their business as well as satisfy evolving compliance requirements. Entrust and Microsoft together facilitate the secure adoption of new technologies and delivery models including virtualization and cloud computing. Entrust is a Gold Certified Microsoft partner.

Entrust nShield HSMs safeguard the certificate issuance, management, and validation processes for organizations looking to extend the security of Microsoft Active Directory Certificate Services (AD CS) PKI. Using nShield HSMs, all key generation and certificate signing operations are executed within the tamper-resistant confines of the hardware module. Private keys are securely stored and never accessible outside the HSM. Microsoft published guidance on Securing PKI:

  • Protecting CA Keys and Critical Artifacts, states that using an HSM is one of the strongest controls one can implement to provide strong protection of CA and other high value keys.

Entrust nShield HSMs create tight controls around the management and the keys used to protect sensitive data at rest and in use across Azure-based on-premises and client applications. Microsoft Azure Key Vault safeguards the critical cryptographic keys used in the cloud to keep data secured. Used with Microsoft Azure Information Protection (AIP), the data exchanged within collaborative work environments is protected by embedding enforceable security policies right on the data assets, regardless of the data type.

AIP uses Entrust HSMs to ensure that keys are always under customer control. Microsoft AIP with Bring Your Own Key (BYOK) gives organizations control and visibility of the use of their keys, and neutralizes the perception that sensitive data maintained in the cloud is vulnerable.

While most content can be served by securely stored keys in Azure, some sensitive content can never leave the customer’s own security perimeter. To manage this sensitive data, AIP also offers Hold Your Own Key (HYOK). The HYOK option is enabled by an on-premises component, with key management provided through the Entrust HSMs.

Entrust key management for Microsoft SQL Server 2016, 2014, 2012 and 2008 extends and enhances security by providing protection and lifecycle management for database encryption keys. Entrust HSMs utilize Microsoft’s Extensible Key Management (EKM) interface to support Transparent Data Encryption (TDE) and cell-level encryption modes for protection and consolidation of database application keys. This provides high assurance key archival for long-term data access, as well as, facilitate periodic rotation of encryption keys as required by regulations such as PCI DSS.

In addition to the resources linked on this page, several detailed integration guides are available for Entrust-Microsoft solutions – please visit Knowledge Base for a full listing.

Visit Website



Redmond, WA
United States

Contact Information:


  • Program:
  • nFinity Partner Program
  • nFinity HSM
    • Cloud, DevOps, Containers, Microservices
    • Digital Signing, Code Signing
    • PKI, IoT, Certificate Management
    • Encryption, Database Security, Tokenization
    • Identity and Access Management (IAM)

Solution Brief: Protect Sensitive Data at Rest and in Use Across on-Premises and Azure-Based Client Applications

Solution Brief: Enhanced security: for Microsoft active directory certificate services

Solution Brief: Entrust Database Encryption Solution for Microsoft SQL Server

Solution Brief: Secure Certificate Registration: Entrust High Assurance for Microsoft NDES

Solution Brief: Entrust Bring Your Own Key for High Assurance Key Management

Solution Brief: Entrust Enhances Security of VMs Deployed Within Microsoft Windows Server 2016

Solution Brief: Hold Your Own Key for High Assurance Key Management

Integration Guide: Microsoft AD CS and OCSP nShield HSM for Microsoft Windows Server

Integration Guide: Microsoft SQL Server 2019 Always Encrypted nShield HSM

Integration Guide: Microsoft Host Guardian Service and Shielded Virtual Machines nShield HSM for Windows Server 2019 and Admin Attestation

Integration Guide: Bring Your Own Key for Microsoft Azure Key Vault nShield HSM

Integration Guide: Bring Your Own Key for Microsoft Azure Key Vault - Entrust KeyControl BYOK

Integration Guide: Microsoft Authenticode - nShield HSM

Integration Guide: Microsoft AD Federation Service nShield HSM

Integration Guide: Microsoft AD CS OCSP nShield HSM

Integration Guide: Microsoft IIS nShield HSM

Integration Guide: Microsoft AD CS and NDES nShield HSM for Microsoft Windows Server

Integration Guide: nShield Database Security Option Pack Integration with Microsoft SQL Server

Integration Guide: Time Stamp Option Pack nShield HSM for Microsoft 365

Video: nShield Integration with Microsoft AD FS

Video: nShield Database Security Option Pack Integration with Microsoft SQL Server

Video: Microsoft 365 Integration with Entrust nShield Timestamp Option Pack for Document Signing

Video: Entrust nShield Integration with MS AD CS OCSP