Securely Transporting a CipherTrust Manager k570 Appliance
You might need to move your configured CipherTrust Manager appliance to a new data center or place it into storage. This can be a convenient way to pre-configure CipherTrust Manager appliances at a central location before shipping them to regional data centers.
During this process, you can ensure that the on-board PCIe HSM and its cryptographic material have not been modified in transit by using the Secure Transport Mode (STM). STM temporarily locks the HSM, retaining the current configuration and key material, and recording the current state.
The commands and supported authentication method for STM are different for a Thales CipherTrust Manager k570 appliance and a Trusted Cyber Technologies (TCT) k570 appliance. The TCT k570 appliance has the label "Trusted Cyber Technologies CipherTrust k570" on the front bezel and on the order summary. In addition, the initial LunaCM response contains the SafeNet Assured Technologies, LLC
and indicates an HSM Model of Luna-T7
.
Securely Transport a Thales k570 Appliance
Thales k570 appliances can access STM. This feature is described in detail in Luna PCIe HSM documentation.
STM generates a unique 16-character verification string and a 16-character random user string. These unique strings allow you to verify whether or not the HSM has been tampered while in STM. When recovering from STM, you will be asked to provide the random user string.
To prepare the CipherTrust Manager for transportation
Log in to the CipherTrust Manager as ksadmin via serial console or SSH.
Stop CipherTrust Manager services. This avoids the services trying to communicate with the HSM while STM is applied.
Launch the lunacm utility from
/usr/safenet/lunaclient/bin/
If you have a PED-authenticated k570, you must deactivate the Crypto Officer role on the user partition. If you have a password authenticated k570, skip ahead to step 5.
Warning
This command is needed to ensure the verification string is generated correctly on recovery. Leaving the Crypto Officer in an auto-activated state will result in a verification string mismatch.
Activated Crypto Officers display the phraseActivated
with the commandlunacm:>role show -n CO
if you need to confirm the Crypto Officer's state.Switch to the slot number labeled with
Luna User Partition
in the above output. This is slot 3 in our example configuration.Log in as the Partition Security Officer. You are prompted to present the Partition SO PED iKey.
Deactivate the Crypto Officer role.
Backup the HSM contents, as described in Luna PCI documentation.
Switch to the slot number labeled with
Luna Admin Partition
. This is slot 8 in our example configuration.Log in as the HSM Security Officer. You are prompted to enter the HSM SO password or to present the HSM SO PED key.
Set the transport mode.
Record the presented Verification String and Random User String. Both are needed to recover the HSM and CipherTrust Manager.
Power down the appliance, unrack it, and ship it to its destination.
Transmit the verification string and random user string to the receiver of the HSM using a secure method, distinct from the transport of the physical HSM, so that it is not possible for an attacker to have access to both the HSM and the verification codes while the HSM is in STM.
To recover the CipherTrust Manager after transportation
Note
You can use Remote PED, if previously configured for the k570, to perform necessary PED operations outside the data center.
Ensure you have the two strings that were presented when the HSM was placed into STM.
Place the HSM into a rack and set up networking. You need SSH or console access to recover the HSM.
Note
You don't need to change the ksadmin password, or re-configure the HSM, as with a first installation.
Login to the CipherTrust Manager as ksadmin via SSH or serial console.
Launch the lunacm utility from
/usr/safenet/lunaclient/bin/
Switch to the slot number labeled with
Luna HSM Admin Partition
in the above output. This is slot 8 in our example configuration.If you are using a Remote PED, connect the slot to the Remote PED workstation. Otherwise, skip to the next step.
Login as the HSM Security Officer. You are prompted to enter the HSM SO password or to present the HSM SO PED key. Remote PEDs also prompt for the orange remote PED vector key.
Run the
stm recover
command, providing the Random User String.You are presented with the verification string.
If the presented verification string matches the original verification string, type
proceed
to continue.Caution
If the presented verification string does not match the original verification string, this indicates HSM tampering. Type
quit
to remain in secure transport mode. Contact Customer Support to investigate.Calculating the verification string (may take a few seconds)...
Verification String: AAAA-AAAA-AAAA-AAAA
CAUTION: You are attempting to recover the HSM from Secure Transport Mode. If the verification string does not match the one you were provided out-of-band, there may be an issue with the HSM. Type 'quit' at the prompt to remain in Secure Transport Mode.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
The CipherTrust Manager services boot up.
For password-authenticated k570s, recovery is complete. You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.
PED-authenticated k570s must have the Crypto Officer role logged in before you can access CipherTrust Manager services.
To login and reactivate the Crypto Officer Role for PED-Authenticated Devices
The Crypto Officer must be logged in before you can access CipherTrust Manager services.
Note
This login re-activates the Crypto Officer role (unless you have disabled the activation partition policies, 22 and 23, which is not recommended). The HSM caches PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM. However, in the event of a power outage of more than 2 hours, the HSM cached PED credentials will expire and the k570 appliance will fail to run its services. In this case, instruct the k570 appliance to re-authenticate with the HSM using the black PED key. You can also configure remote PED access.
If you are using a local PED, simply present the black PED iKey for the Crypto Officer to the PED, as prompted on the PED screen when CipherTrust Manager services start up.
If you are using a Remote PED:
Switch to the slot number labeled with
Luna User Partition
. This is slot 3 in our example configuration.Connect the slot to the Remote PED workstation.
Log in as the Crypto Officer. Provide the PED iKey, and the auto-activation password as prompted.
You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.
Securely Transport a Trusted Cyber Technologies (TCT) k570 Appliance
TCT k570 appliances that use PED authentication can apply Secure Transport Mode.
As part of Secure Transport Mode, you imprint one or more purple PED keys (also called Secure Recovery Keys or SRK) with a new split of the HSM's master key. You are also presented with a unique SRV verification string, which allows you to verify whether or not the HSM has been tampered while in STM. The purple PED key and verification string are required to recover the HSM and should be stored and shipped separately from the CipherTrust Manager appliance.
Advanced options for re-using an existing SRK, creating more copies of the PED key, and the MofN feature are described in the latest Luna T-Series Documentation. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.
To prepare the CipherTrust Manager for transportation
Connect the PED to the appliance.
Login to the CipherTrust Manager as
ksadmin
via serial console or SSH.Launch the lunacm utility from
/usr/safenet/lunaclient/bin/
Login to the HSM with
hsm login
.Run the command
srk enable
. This command performs a resplit of the MTK before moving one of the (new) splits out to your purple PED Key(s).Follow the PED prompts, introducing the purple key (*) and pressing buttons on the PED keypad.
Record the SRV verification string when it is presented. This string is required to recover both the HSM and CipherTrust Manager.
Run
srk transport
to enable secure transport mode.You are prompted to insert the purple PED key.
Power down the appliance, unrack it, and ship it to its destination.
Ship the imprinted purple SRK separately from the appliance shipment.
Send the SRK verification string via another path.
To recover the CipherTrust Manager after transportation
Ensure you have the purple PED key and the SRK Verification String that were presented when the HSM was placed into STM.
Place the HSM into a rack and set up networking. You need SSH or console access to recover the HSM.
Note
You don't need to change the ksadmin password, or re-configure the HSM, as with a first installation.
Login to the CipherTrust Manager as ksadmin.
Launch the lunacm utility from
/usr/safenet/lunaclient/bin/
Run the command
srk recover
.The PED prompts for the SRK (purple PED Key) and shows the verification string.
Compare the presented verification string with the original verification string. If they match, insert the purple PED key as prompted. If the strings do not match, the unit may have been tampered. Follow tamper recovery instructions.
Run the command
hsm login
.The PED prompts for the HSM/Security Officer blue key.
Run the command partition login.
The PED prompts for the User (black) PED key.
Recovery is complete. You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.