The DataShielder NFC HSM ecosystem is built on a foundation of cryptographic rigor and engineering precision. It supports a range of industry-standard and proprietary encryption mechanisms that together provide unmatched data sovereignty and resilience.

▸ Technologies Supported: AES-256 CBC, RSA-4096

Data is encrypted using AES-256 CBC for symmetric operations, with RSA-4096 used for secure key exchanges.

▸ Patented Segmented Key Architecture

Each encryption key is algorithmically split into independent segments. These segments are stored and managed separately, ensuring that no complete key ever exists statically on the device or in any database.

▸ Serverless, Databaseless Architecture

All key storage and management operations are performed locally within the NFC HSM. No server, cloud, or online intermediary is ever required, significantly reducing the attack surface.

▸ Volatile Memory Key Reconstruction

Decryption keys are reconstructed only in the device’s volatile memory at the exact time of use. Once operations are complete, memory is wiped, ensuring no persistence of sensitive material.

▸ RSA-4096 for Encrypted Label Sharing

RSA-4096 key pairs are uniquely dedicated to the encryption and exchange of labels containing login credentials or cryptographic secrets.

• Proximity Mode: NFC Beam and BLE transfer with mutual authentication.
• Remote Mode: Label sharing via QR codes, email, secure messaging apps, or printed forms.

The platform offers tiered access policies, anti-cloning protocols, and encapsulated security contexts that bind cryptographic operations to real-world conditions such as location, fingerprint, and device identity. Its advanced security framework supports:

• ➶ Trust criteria enforcement (PIN, geozone, QR scan, BSSID, device fingerprinting)
• ➶ Fingerprint-based local authentication
• ➶ Anti-replay and anti-tampering control
• ➶ Smart notification and access monitoring
• ➶ Dynamic re-encryption with segmented overlay logic
• ➶ Hardware-embedded 128-bit anti-counterfeit UID

Each function is carried out without transmitting data externally, preserving a full air-gap model while maintaining dynamic security enforcement in real time.

• ⚙ Secure webmail login and end-to-end email encryption
• ⚙ Encrypted password autofill for secure authentication
• ⚙ Local NFC HSM login for offline password validation
• ⚙ Secure key delivery to remote users via QR or NFC
• ⚙ Printed QR codes for physical air-gapped key sharing
• ⚙ One-touch secure access to encrypted labels on mobile
• ⚙ Cyber-defense workflows for civilian and defense use
• ⚙ Contactless access control with location and biometric factors
• ⚙ Tactical deployment: on-the-ground secure label exchanges in conflict zones without network reliance
• ⚙ Embassy communications: decryptable QR memos and AES-256 CBC printed reports segmented per official clearance
• ⚙ Government use: contactless login to secure workstations and document exchange in air-gapped environments
• ⚙ Classified delivery of printed QR memos: secure multi-recipient file sharing via mail or courier without exposing decryption keys

• Anti-espionage protocols & stealth communication
• Absolute anonymity: no digital identifiers stored
• Self-destruct keys after usage (RAM-only storage)
• Brute-force resistance: invasive and non-invasive attacks
• Non-repudiation enforcement for shared secrets

Secure Offline Paper Encryption with DataShielder NFC HSM

Unique Capability: DataShielder NFC HSM offers a sovereign, offline cryptographic channel for physical data distribution. This exclusive feature enables the generation of multiple AES-256 CBC encrypted QR codes—each built with segmented keys and assignable access conditions.

Real-World Application: This secure paper workflow addresses critical offline use cases such as embassy communiqués, military orders, or classified corporate memos. The recipient must possess both the segmented key and satisfy associated trust criteria (e.g., PIN, QR, geo-fence) to decrypt their assigned QR block.

Optimized Output: The system supports up to 8 unique QR codes per A4 sheet (duplex), allowing secure, multi-recipient communication through a single printed document.

Threat Resistance Matrix

• Environnement Entreprise: Déploiement en BYOD/COPE/CYOD avec contrôle local des clés par les utilisateurs ou les administrateurs, sans infrastructure serveur. Idéal pour la gestion des identifiants, secrets métiers et accès sécurisés à des plateformes SaaS.
• Usage Institutionnel: Adapté aux organismes gouvernementaux ou universitaires nécessitant un cloisonnement fort entre utilisateurs et services. La gestion segmentée par critères (QR, PIN, géolocalisation) permet un contrôle granulaire par département ou rôle.
• Souveraineté Défense: Pour les versions réglementées (Defense), le déploiement s’effectue via modules Master validés OTAN/ANSSI. Les modules Auth et M-Auth dérivés peuvent être distribués aux agents sans exposition du système maître.

Hybrid Deployment: BYOD, COPE, CYOD

Diagram illustrating secure integration of DataShielder NFC HSM across BYOD, COPE, and CYOD environments with NFC smartphones, BLE keyboards, and browser extensions

⚙ Modularité Native

Chaque modèle DataShielder NFC HSM peut être déployé de manière autonome ou en flotte. Le Master agit comme noyau cryptographique, avec la capacité d’engendrer une multitude de modules Auth/M-Auth adaptés aux besoins spécifiques des unités ou des filières.

• Modular Interoperability: Fully interoperable with PGP, Auth, and M-Auth modules. Both Master and Lite versions of DataShielder NFC HSM can generate unlimited Auth/M-Auth units—especially via the dedicated Starter Kit, without requiring any server infrastructure.
• Peripheral Trust: Secure usage of EviKey/EviDisk and InputStick BLE with cryptographic unlocking (PIN, QR, BSSID), no software required.
• Browser Extensions: Support secure workflows for email and file encryption via Chrome, Edge, Firefox. Enable contactless encrypted tunnels and label injection.
• EviDNS: ZeroConf pairing and HSM discovery utility for simplified enterprise deployments.
• Offline BLE HID Emulation: Use InputStick BLE dongle to inject secrets over an AES-128 encrypted channel into any USB system—no drivers, no network, no installation required.

■ BLE Offline Integration for USB-HID Systems

This deployment mode showcases the direct transmission of credentials, passphrases, and encryption keys from the DataShielder NFC HSM app (via BLE) to any USB-compatible host using InputStick. The channel is AES-128 CBC encrypted and requires no network infrastructure. Compatible with PCs, servers, kiosks, media players, smart TVs, Raspberry Pi, Arduino, and industrial controllers.

■ Local Encrypted Tunnel via NFC & QR Code

This versatility ensures optimal deployment in both standalone and hybrid IT ecosystems, facilitating encrypted workflows without friction.

Dual Encrypted Communication Channels

Unique Capability: Unlike most HSMs, DataShielder NFC HSM integrates two offline, encrypted communication modes natively:

• BLE HID Injection: AES-128 CBC channel via InputStick—ideal for embedded, industrial, or minimalist systems accepting USB HID input.
• LAN Tunnel via QR Pairing: AES-256 CBC tunnel over LAN—generated automatically between browser extension and NFC app, thanks to QR pairing with segmented key logic.

This makes DataShielder NFC HSM uniquely versatile for sovereign cryptographic operations across traditional IT environments and embedded platforms alike.

■ Segmented Trust Architecture

DataShielder NFC HSM combines a secure NFC hardware module with a fully offline-capable Android software layer. This hybrid model ensures sovereign cryptographic control with features such as no firmware updates, no telemetry, and RAM-only key usage.

■ Hybrid HSM Architecture

Dual-layer architecture: NFC hardware secure element and Android app logic ensure fully sovereign cryptographic operations.

DataShielder NFC HSM (Lite & Master) combines full offline cryptographic sovereignty with cross-platform operability. Engineered for zero-trust and zero-knowledge architectures, both versions share the same technical backbone, supporting:

• ✔ AES-256 CBC encryption for secure data and key management
• ✔ NFC 15693/14443 and encrypted QR code interactions
• ✔ BLE HID injection with AES-128 CBC—ideal for USB-HID systems without drivers
• ✔ Full offline autonomy: no server, no database, no telemetry
• ✔ PGP compatibility and segmented key architecture for granular trust control

This infographic highlights the unified feature set across both Lite and Master models—proving that data sovereignty and advanced cryptography can coexist in a fully mobile, contactless form factor.

• Lite: Manages up to 5 segmented encryption keys; ideal for personal and entry-level use cases.
• Master: Supports up to 100 keys and full trust encapsulation policies; recommended for decision-makers and security officers.
• Auth: Contactless authentication module using one AES-256 key; optimized for physical access and terminal login.
• Mauth: Adds RSA-4096 for remote encrypted exchanges; suitable for hybrid mobility-security scenarios.
• Starter Kit: Includes NFC HSM Lite 5 and options to generate Auth/Mauth variants; packaged for deployment in critical environments.