The Cryptographic Security Platform (CSP) software solution provides a unified platform for managing, protecting, and assessing cryptographic assets. CSP provides functionalities in the following categories:

Compliance Management

These capabilities assist with assessing and managing compliance of identified keys, secrets, and certificates with specified requirements. May be deployed in a clustered configuration and includes:

  • Compliance Manager: A CSP component that provides centralized visibility, compliance, and risk governance of the enterprise’s cryptographic assets. It connects data sources—such as vaults and security object repositories—from which it imports metadata about security objects (keys, secrets, and certificates), aggregates this information into a centralized inventory, and evaluates assets against compliance requirements.
  • Discovery: A CSP feature for asset discovery and data collection, used to collect information about cryptographic assets so they can be brought under centralized visibility. Discovery operates through configuration-based scans, which can be run manually or on a schedule. Scan results integrate directly with Compliance Manager to populate the inventory of certificates, keys, and secrets.
  • Standard Compliance Packs: Pre‑configured collections of compliance requirements designed to assist organizations in assessing cryptographic assets against commonly adopted industry standards and best practices.
  • Third-party Objects: An optional functionality that allows metadata for keys, secrets, or certificates not created or stored directly by CSP components or Entrust’s non-CSP Certificate Authority (“ECA”) software to be imported into the Compliance Manager inventory. Imported third‑party objects are included in compliance assessments and reporting but remain externally managed.

HSM Management

Provides centralized management, monitoring, and visibility for Entrust HSMs. It is deployed as part of the Compliance Management configuration and includes:

  • KeySafe 5: Centralized management of Entrust HSMs (Security Worlds, card sets, soft cards, firmware, host applications) with cryptographic asset visibility via Compliance Manager.
  • KeySafe 5 Monitoring: Optional capability for centralized monitoring of Entrust HSMs with live and historical health, performance, alerts, and utilization metrics.

Certificate Management

CSP optional add‑on capabilities for deploying Public Key Infrastructure (PKI) functionality in clustered configurations, with usage limitations depending on the purchased license packages:

  • Certification Authority Package, includes:
  • Certificate authority solution providing certificate issuance, management, and validation, with built‑in RESTful APIs for the CAs created and managed within the CSP.
  • Certificate Enrollment Gateway (CEG): a collection of certificate enrollment protocols. In this package, CEG may only be used for certificates created and managed within CSP.
  • Advanced PKI Package, includes:
  • Timestamping Authority: software to prove that data existed at a specific time.
  • Validation Authority: certificate validation (OCSP) software specifically for (non-CSP) ECA.
  • CA Gateway: software consisting of RESTful APIs for integrating CAs.  In this package, CA Gateway may only be used to integrate CSP with ECA.
  • Advanced CLM Package, includes:
  • Certificate Manager (formerly Certificate Hub): Certificate lifecycle management and automation across CAs created and managed within the CSP and third‑party CAs, excluding CA functionality.
  • CA Gateway: In this package, it is permissible to use CA Gateway for integration with CSP CAs and non-CSP CAs.
  • Certificate Enrollment Gateway: In this package, it is permissible to use Certificate Enrollment Gateway for certificates created by both CSP and non-CSP CAs.

Keys and Secrets Management

CSP optional add-on capability for deploying multiple vault appliances in active-active Vault Clusters. Appears on Orders as “Compliance Manager - 2 Nodes Virtual Appliance Cluster for Vaults.” A Vault Cluster is a secure CSP software component that provides an isolated environment for managing cryptographic keys, secrets, and related objects. Vault Clusters securely generate, store, protect, and control access to cryptographic material while enforcing strong security controls and auditability.

Each Vault Cluster can manage one or more of the following vault types:

  • Vault for KMIP Keys: Cryptographic keys, secrets, and certificates managed using the Key Management Interoperability Protocol (KMIP), enabling standardized and interoperable key lifecycle management across heterogeneous environments and applications.
  • Vault for Cloud Keys: Encryption keys used in cloud key management services—such as AWS KMS, Azure Key Vault, and Google Cloud KMS—to protect cloud‑native workloads and data. CSP supports bring‑your‑own‑key (BYOK), hold‑your‑own‑key (HYOK), and native key management models, depending on the target cloud service.
  • Vault for Secrets: Sensitive data such as passwords, API keys, access tokens, and credentials that require secure storage, access control, and lifecycle management.
  • Vault for Application Keys: Cryptographic keys used by applications to perform cryptographic operations—such as encryption, digital signatures, and hashing—via CSP cryptographic APIs or command‑line interfaces.
  • Vault for TDE Database Keys: Encryption keys used to protect databases with Transparent Data Encryption (TDE), including Oracle, Microsoft SQL Server, MariaDB, and open‑source PostgreSQL, ensuring data at rest is encrypted.
  • Vault of Virtual Machine Encryption Keys: Cryptographic keys used to encrypt Windows and Linux virtual machine operating system disks and attached data volumes in virtualized environments.

File Encryption 

File Encryption is a CSP software component that encrypts file‑based data and may be deployed in a clustered configuration. File Encryption supports both:

  • Software‑based encryption, where hardware HSM protection is not required, and
  • Hardware‑based encryption, leveraging Entrust HSMs for enhanced key protection.

The File Encryption capability includes 10 GB of protected data capacity. Additional encrypted data capacity may be added by purchasing 1 TB add‑on annual subscriptions.