Entrust HSM

Protect Secrets Manager connection details locally with Entrust HSM
Keeper Secrets Manager integrates with Entrust HSM in order to provide protection for Keeper Secrets Manager configuration files. With this integration, you can protect connection details on your machine while taking advantage of Keeper's zero-knowledge encryption of all you secret credentials.


  • Encrypt and Decrypt your KSM configuration files with Entrust HSM
  • Protect against unauthorized access to your Secrets Manager connections
  • Requires only minor change to code for immediate protection. Works with all KSM Python SDK functionality


  • The Python module needs to be built as a nShield native application
    • Using Python (v3.8.5) and nfpython modules from SDK ISO image from Entrust nShield software (Security World 12.80 or later)
  • Virtualenv is recommended


1. Create and Configure Virtualenv

This step is optional, but recommended for development
Create a virtualenv environment to work in
/opt/nfast/python3/bin/python3 -m venv --copies venv
Activate the virtualenv environment before starting development
. venv/bin/activate
Create a virtualenv environment to work in
c:\Program Files\nCipher\nfast\python3\python --copies -m venv venv
Activate the virtualenv environment before starting development

2. Install KSM Storage and nfpython Modules

The Secrets Manager HSM modules are located in the Keeper Secrets Manager storage module which can be installed using pip
pip3 install keeper-secrets-manager-storage
The nfpython package also needs to be installed in order to utilize the Entrust HSM. This package is installed as part of the nShield package with your Entrust installation.
In Linux:
pip install /opt/nfast/python3/additional-packages/nfpython*.whl
In Windows:
pip install c:\Program Files\nCipher\nfast\python3\additional-packages\nfpython*.whl

3. Add Entrust HSM Storage to Your Code

Use the HsmNfastKeyValueStorage as your Secrets Manager storage in the SecretsManager constructor.
The HsmNfastKeyValueStorage requires the method and identity ("simple" and "ksmkey" respectively in this example).
from keeper_secrets_manager_core import SecretsManager
from keeper_secrets_manager_hsm.storage_hsm_nfast import HsmNfastKeyValueStorage
config=HsmNfastKeyValueStorage('simple', 'ksmkey', 'client-config.json')
secrets_manager = SecretsManager(config=config, verify_ssl_certs=True)
all_records = secrets_manager.get_secrets()
You're all set and ready to use Secrets Manager with Entrust NShield HSM

Using Secrets Manager with Entrust HSM

Once setup, the Secrets Manager Entrust integration supports all Secrets Manager SDK functionality. Your code will need to be able to access the nShield HSM in order to manage the decryption of the configuration file when run.
Check out the KSM SDKs documentation for more examples and functionality

Create an Encryption Key for Testing

In order to test encryption with the Entrust nShield HSM, use the following command:
Replace "ksmkey" in these examples with the identity in your HSM.
in Linux:
opt/nfast/bin/generatekey -b simple protect=module type=AES size=256 ident=ksmkey
in Windows:
c:\Program Files\nShield\nfast\bin\generatekey -b simple protect=module type=AES size=256 ident=ksmkey