Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Install Physical CipherTrust Manager Appliance

Securely Transporting a CipherTrust Manager k570 Appliance

search

Please Note:

Securely Transporting a CipherTrust Manager k570 Appliance

You might need to move your configured CipherTrust Manager appliance to a new data center or place it into storage. This can be a convenient way to pre-configure CipherTrust Manager appliances at a central location before shipping them to regional data centers.

For CipherTrust Manager k570 appliances, you can ensure that the on-board PCIe HSM and its cryptographic material have not been modified in transit by using the Secure Transport Mode (STM), described in detail in Luna PCIe HSM documentation.

STM temporarily locks the HSM, retaining the current configuration and key material, and recording the current state. STM generates a unique 16-character verification string and a 16-character random user string. These unique strings allow you to verify whether or not the HSM has been tampered while in STM. When recovering from STM, you will be asked to provide the random user string.

To prepare the CipherTrust Manager for transportation

  1. Log in to the CipherTrust Manager as ksadmin via serial console or SSH.

  2. Stop CipherTrust Manager services. This avoids the services trying to communicate with the HSM while STM is applied.

    ksadmin@ciphertrust:~$ sudo systemctl stop keysecure

  3. Launch the lunacm utility from /usr/safenet/lunaclient/bin/

    ksadmin@keysecure:/usr/safenet/lunaclient/bin$ ./lunacm
lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.

Available HSMs:

Slot Id ->              3
Label ->                kspart1
Serial Number ->        1442956002008
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     User Token Slot

Slot Id ->              8
Label ->                kspart1
Serial Number ->        619745
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna HSM Admin Partition (PW) Signing With Cloning Mode
Slot Description ->     Admin Token Slot
HSM Configuration ->    Luna HSM Admin Partition (PW)
HSM Status ->           L3 Device

Current Slot Id: 3

  4. If you have a PED-authenticated k570, you must deactivate the Crypto Officer role on the user partition. If you have a password authenticated k570, skip ahead to step 5.

    Warning

    This command is needed to ensure the verification string is generated correctly on recovery. Leaving the Crypto Officer in an auto-activated state will result in a verification string mismatch.
    Activated Crypto Officers display the phrase Activated with the command lunacm:>role show -n CO if you need to confirm the Crypto Officer's state.

    1. Switch to the slot number labeled with Luna User Partition in the above output. This is slot 3 in our example configuration.

      lunacm:>slot set -slot <user_partition_slot_number>

    2. Log in as the Partition Security Officer. You are prompted to present the Partition SO PED iKey.

      lunacm:>role login -n po

    3. Deactivate the Crypto Officer role.

      lunacm:>role deactivate –n Crypto Officer

  5. Backup the HSM contents, as described in Luna PCI documentation.

  6. Switch to the slot number labeled with Luna Admin Partition. This is slot 8 in our example configuration.

    lunacm:>slot set -slot <admin_partition_slot_number>

  7. Log in as the HSM Security Officer. You are prompted to enter the HSM SO password or to present the HSM SO PED key.

    lunacm:>role login -n so

  8. Set the transport mode.

    lunacm:>stm transport

You are about to configure the HSM in STM.
Are you sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now ->proceed

Configuring the HSM for transport (may take a few seconds)...

HSM was successfully configured for transport.

Please record the displayed verification & random user strings.
These are required to recover from Secure Transport Mode.

Verification String: AAAA-AAAA-AAAA-AAAA

Random User String: BBBB-BBBB-BBBB-BBBB

  9. Record the presented Verification String and Random User String. Both are needed to recover the HSM and CipherTrust Manager.

  10. Power down the appliance, unrack it, and ship it to its destination.

  11. Transmit the verification string and random user string to the receiver of the HSM using a secure method, distinct from the transport of the physical HSM, so that it is not possible for an attacker to have access to both the HSM and the verification codes while the HSM is in STM.

To recover the CipherTrust Manager after transportation

Note

You can use Remote PED, if previously configured for the k570, to perform necessary PED operations outside the data center.

  1. Ensure you have the two strings that were presented when the HSM was placed into STM.

  2. Place the HSM into a rack and set up networking. You need SSH or console access to recover the HSM.

    Note

    You don't need to change the ksadmin password, or re-configure the HSM, as with a first installation.

  3. Login to the CipherTrust Manager as ksadmin via SSH or serial console.

  4. Launch the lunacm utility from /usr/safenet/lunaclient/bin/

    ksadmin@keysecure:/usr/safenet/lunaclient/bin$ ./lunacm
lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.

Available HSMs:

Slot Id ->              3
Label ->                kspart1
Serial Number ->        1442956002008
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     User Token Slot

Slot Id ->              8
Label ->                kspart1
Serial Number ->        619745
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna HSM Admin Partition (PW) Signing With Cloning Mode
Slot Description ->     Admin Token Slot
HSM Configuration ->    Luna HSM Admin Partition (PW)
HSM Status ->           L3 Device

Current Slot Id: 3

  5. Switch to the slot number labeled with Luna HSM Admin Partition in the above output. This is slot 8 in our example configuration.

    lunacm:>slot set -slot <admin_partition_slot_number>

  6. If you are using a Remote PED, connect the slot to the Remote PED workstation. Otherwise, skip to the next step.

    lunacm:>ped connect -ip <remote_PED_workstation_IP> -port 1503

  7. Login as the HSM Security Officer. You are prompted to enter the HSM SO password or to present the HSM SO PED key. Remote PEDs also prompt for the orange remote PED vector key.

    lunacm:>role login -n so

  8. Run the stm recover command, providing the Random User String.

    lunacm:>stm recover -r BBBB-BBBB-BBBB-BBBB

    You are presented with the verification string.

  9. If the presented verification string matches the original verification string, type proceed to continue.

    Caution

    If the presented verification string does not match the original verification string, this indicates HSM tampering. Type quit to remain in secure transport mode. Contact Customer Support to investigate.

    Calculating the verification string (may take a few seconds)...

    Verification String: AAAA-AAAA-AAAA-AAAA

    CAUTION: You are attempting to recover the HSM from Secure Transport Mode. If the verification string does not match the one you were provided out-of-band, there may be an issue with the HSM. Type 'quit' at the prompt to remain in Secure Transport Mode.

          If the verification strings match, or if you wish to bypass this check,
      type 'proceed' to recover from Secure Transport Mode.

    Are you sure you wish to continue?

    Type 'proceed' to continue, or 'quit' to quit now ->proceed

    The CipherTrust Manager services boot up.

    For password-authenticated k570s, recovery is complete. You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.

    Login screen

    PED-authenticated k570s must have the Crypto Officer role logged in before you can access CipherTrust Manager services.

To login and reactivate the Crypto Officer Role for PED-Authenticated Devices

The Crypto Officer must be logged in before you can access CipherTrust Manager services.

Note

This login re-activates the Crypto Officer role (unless you have disabled the activation partition policies, 22 and 23, which is not recommended). The HSM caches PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM. However, in the event of a power outage of more than 2 hours, the HSM cached PED credentials will expire and the k570 appliance will fail to run its services. In this case, instruct the k570 appliance to re-authenticate with the HSM using the black PED key. You can also configure remote PED access.

  1. If you are using a local PED, simply present the black PED iKey for the Crypto Officer to the PED, as prompted on the PED screen when CipherTrust Manager services start up.

  2. If you are using a Remote PED:

    1. Switch to the slot number labeled with Luna User Partition. This is slot 3 in our example configuration.

      lunacm:>slot set -slot <user_partition_slot_number>

    2. Connect the slot to the Remote PED workstation.

      lunacm:>ped connect -ip  <remote-PED-workstation-IP> -port 1503

    3. Log in as the Crypto Officer. Provide the PED iKey, and the auto-activation password as prompted.

      lunacm:>role login -n co

  3. You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.

    Login screen

On this page