Comprehensive Cloud Security

Entrust Provides the Best Solution for Your Cloud Security Challenge

Entrust offers three different solutions for cloud security. Chose those that fit your requirements.

> Control Your Own Key in the Cloud – Cloud Integration Option Pack
> Protect Your Microsoft 365 Assets – Double Key Encryption for Microsoft 365
> Comprehensive VMWare and Cloud Encryption – Entrust HyTrust KeyControl, DataControl and CloudControl

Cloud Integration Option Pack

Using cloud-native encryption features while maintaining full control over the key material

Create and control cryptographic keys in your FIPS 140-2 HSM, then securely export to the cloud.

Provides users of public cloud services with the ability to generate cryptographic keys in their own environment. Retain control of those keys while making them available, as required, for use in the cloud of their choice.

  • Control of your cryptographic keys supporting a multi or hybrid-cloud strategy
  • Secure key generation using a strong entropy source
  • Long term key protection using a FIPS-certified HSM
  • Support for Amazon Web Services, Google Compute Engine, Microsoft Azure

Protect your brand and data

Validated to the highest security standards, such as FIPS 140-2 and Common Criteria, Entrust nShield HSMs are ready to protect your data in even the most challenging and demanding security situations, whether on premises or in the cloud.

Supported cloud service providers

Cloud Integration Option Pack (CIOP) provides the tools to allow you to create your cryptographic keys using an nShield HSM then wrap and securely export them to the following cloud service providers:

  • Amazon Web Services (AWS)
  • Google Compute Engine
  • Microsoft Azure Key Vault (using the Azure BYOK mechanism)

Download the CIOP flyer.

For customers seeking a higher level of assurance, Microsoft offers nCipher BYOK.
The nCipher BYOK method provides additional assurances that the key permissions created at generation time are preserved during the transfer to Microsoft Azure Key Vault. In addition Microsoft make use of the nCipher Security World to restrict key use to a specified Azure region. This method does not require the purchase of CIOP. See Import HSM-protected keys for Key Vault (nCipher) for more information.



Double Key Encryption for Microsoft 365

Keeping your sensitive data on Microsoft 365 services secure.

Extend control and security over sensitive data in hybrid and cloud environments

  • Apply two layers of security to your most sensitive content in Azure cloud
  • Encrypt so even Microsoft does not have ability to access your content
  • Own and fully control your key and the software that generates your key
  • Host your key and store your critical data in the location of your choice
  • Manage user access to your key and the content protected by the key

Key features and benefits

Entrust Double Key Encryption for Microsoft Azure Information Protection (AIP), offered by Entrust Professional Services, is designed to help enterprises protect their most sensitive content in Microsoft 365.

  • Integrates with certified Entrust nShield® HSMs to provide a root of trust for the protection of sensitive customer keys.
  • The tools and hardware give enterprises complete ownership and control of the software that underpins the double key generation process, with no Microsoft footprint on the customers’ premises.

Double Key Encryption enables organizations to use hybrid-computing environments with added levels of protection, control, and assurance. As part of the Microsoft AIP offer, the solution enables enterprise customers to select who has permissions to access associated keys and decrypt content. Enterprises can store encrypted data on-premises or in the cloud, remaining unreadable to Microsoft.

Replacing Microsoft Hold your Own Key (HYOK), Double Key Encryption does not require enterprise customers to operate their own Active Directory and Rights Management servers. Instead,  customers are empowered to provide their own cryptographic keys in real time.

How it works


Double Key Encryption utilizes two component cryptographic keys to protect highly sensitive data across the enterprise – a Microsoft key and a customer key.

  • The Microsoft key is initially used to encrypt the customer content in Azure.
  • The Microsoft key is encrypted using the customer key, which is protected using an nShield HSM on-premises.
  • The process prevents Microsoft from having access to the key and the customer content in Azure.

Download the Double Key Encryption flyer.




Entrust HyTrust Solution

Entrust KeyControl

Universal key management for encrypted workloads.

Deliver enterprise scale and availability, supporting Key Management Interoperability Protocol (KMIP1)-compatible encryption agents

  • Upgradeable to Entrust DataControl for complete, multi-cloud workload encryption
  • Provide seamless integration with FIPS 140-2 Level 3 Entrust nShield® HSMs
  • Validated by VMware® to support vSphere® and vSAN® virtualization platforms

Managing the security of workloads in a dynamic, virtualized environment is a time-consuming and complex challenge for administrators

Encrypting workloads significantly reduces your risk of data breaches; if data does fall into the wrong hands, it is unreadable. However, managing the keys for tens of thousands of encrypted workloads is nontrivial. To ensure strong data security, keys have to be rotated frequently, and transported and stored securely. Along with the high demand for strong data security, there is an ever-increasing business need to meet regulatory requirements for PCI-DSS, HIPAA, NIST 800-53, and GDPR compliance in virtual environments.

Many virtualization platforms such as VMware vSphere do not include native key management functionality, requiring a third-party external key management server (KMS). For multi-cloud environments, key management is even more complex as many key management systems cannot interoperate between different platforms.

Enhanced multi-cloud workload encryption
KeyControl is easily upgraded to Entrust DataControl, which enables multi-cloud workload encryption and policy-based key management. It ensures policies are enforced, even when moving across cloud platforms (private and public) such as Microsoft Azure and Amazon Web Services (AWS). DataControl ensures that data within each VM is securely encrypted (AES-128/256-bit) throughout its lifecycle: from installation, upon boot, until each workload is securely decommissioned.

Download the Entrust KeyControl Flyer.

Entrust DataControl

Data encryption, multi-cloud key management, and workload security.

Entrust DataControl secures multi-cloud workloads throughout their lifecycle and reduces the complexity of protecting workloads across multiple cloud platforms. This provides greater protection of your organization’s critical and sensitive information while enabling compliance with data privacy regulations.

  • Complete workload lifecycle encryption management – from boot to decommissioning
  • Key Management Server (KMS)
  • Strong and granular VM encryption: live boot (OS) and data partition encryption
  • Access controls for separation of duties among admins
  • Easy to deploy and manage
  • Seamless integration with Entrust nShield® HSMs for FIPS 140-2 Level 3 certified root of trust

Managing encrypted workloads can get complex, especially in a multi-cloud environment
Many workloads contain critical data, which has to be protected. Your company’s reputation is at stake, and after a data breach, lawsuits and loss of revenue are a serious concern.

Workloads go through many lifecycles, from staging to deployment, to backup and eventual decommissioning. Each stage poses different risks of potential data theft or other misuse.

Managing encrypted workloads in a multi-cloud infrastructure
DataControl allows you to manage your encrypted workloads across different infrastructures. It works on-premises and with the leading public cloud platforms, as well as with hyperconvergence and storage solutions. With DataControl, you get a centralized and scalable solution to control all your encryption keys. DataControl includes the VMware-certified Entrust KeyControl Key
Management Server (KMS).

Download the Entrust DataControl Flyer.

Entrust CloudControl

Comprehensive security for hybrid multi-cloud environments
Entrust CloudControl is a powerful solution that reduces risk through visibility and policy. As IT environments transition to hybrid cloud, security architectures must undergo a corresponding transformation. Deploying point solutions that each address a particular infrastructure type just leads to higher costs and inconsistent protection. CloudControl addresses the need for a comprehensive solution by providing a unified framework for security and compliance across the hybrid cloud – reducing both risk and operational overhead. Originally developed as the
industry’s leading solution to protect applications and data in VMware virtualized datacenters, CloudControl also delivers security for public cloud and containerized environments.

  • Consistency is key to operationally efficient security and compliance. Unlike fragmented approaches, Entrust CloudControl provides comprehensive capabilities in a unified policy framework that delivers superior value and minimizes staff time focused on operational assurance.
  • Decreased risk of security or availability failures. Gain full-stack multi-dimensional policies and industry-leading administration controls to protect against insider threats, spear phishing against IT staff, and human errors that cause downtime
  • Improved agility for virtualized datacenters, public and private clouds. Aquire “write-once, apply anywhere” policies that support consistent controls and eliminate manual efforts
  • Lower operational overhead. Eliminate multiple consoles and inconsistent security constructs, and gain Trust Manifests that provide “security as code” automation
  • Efficient full-stack compliance. Get built-in templates for PCI, NIST 800-53, HIPAA, FedRAMP, DISA STIG and more. The solution also provides workload placement controls, logical segmentation, and robust audit trail and reporting that supports control validation
  • Improved visibility and operational awareness. You gain insight with forensic quality logs for incident response root cause analysis and intent context.

Solution highlights

  • Comprehensive security and compliance across virtualization, public cloud, and containers
  • Over 20 capabilities in a single solution
  • Unified policy, visibility, and administrative guardrails
  • Built-in compliance templates & robust reporting
  • Secure separation of workloads
  • “Security as code” automation for DevSecOps

Download the Entrust CloudControl Flyer.



May 17, 2023
The primary goal of FIDO is to address the limitations and vulnerabilities of traditional password-based authentication systems. It introduces a standardized framework for strong authentication that is both secure and convenient for users.
Read more
July 9, 2021
JuBiter Blade is a slim, simple and extremely secure hardware wallet. It is designed in purpose of offering extreme security for crypto holders to manage their crypto assets.
Read more
January 14, 2021
With the HyTrust acquisition, customers can turn to Entrust for identity, encryption and security policy control, providing data protection and compliance for enterprises accelerating their digital transformations
Read more
December 16, 2020
Ergonomics Logo
This whitepaper gives a short overview of Cloud Computing. We highlight the common challenges when transitioning to Cloud Computing, and show how Ergonomics can support you in different scenarios and options of outsourcing traditional in-house IT services to the cloud.
Read more

Contact |


+41 58 311 1000



Headquarters Zürich

Ergonomics AG | Nordstrasse 15 | CH-8006 Zürich | Switzerland