Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Install Physical CipherTrust Manager Appliance

Securely Transporting a CipherTrust Manager k570 Appliance

search

Please Note:

Securely Transporting a CipherTrust Manager k570 Appliance

You might need to move your configured CipherTrust Manager appliance to a new data center or place it into storage. This can be a convenient way to pre-configure CipherTrust Manager appliances at a central location before shipping them to regional data centers.

During this process, you can ensure that the on-board PCIe HSM and its cryptographic material have not been modified in transit by using the Secure Transport Mode (STM). STM temporarily locks the HSM, retaining the current configuration and key material, and recording the current state.

The commands and supported authentication method for STM are different for a Thales CipherTrust Manager k570 appliance and a Trusted Cyber Technologies (TCT) k570 appliance. The TCT k570 appliance has the label "Trusted Cyber Technologies CipherTrust k570" on the front bezel and on the order summary. In addition, the initial LunaCM response contains the SafeNet Assured Technologies, LLC and indicates an HSM Model of Luna-T7.

Securely Transport a Thales k570 Appliance

Thales k570 appliances can access STM. This feature is described in detail in Luna PCIe HSM documentation.

STM generates a unique 16-character verification string and a 16-character random user string. These unique strings allow you to verify whether or not the HSM has been tampered while in STM. When recovering from STM, you will be asked to provide the random user string.

To prepare the CipherTrust Manager for transportation

  1. Log in to the CipherTrust Manager as ksadmin via serial console or SSH.

  2. Stop CipherTrust Manager services. This avoids the services trying to communicate with the HSM while STM is applied.

    ksadmin@ciphertrust:~$ sudo systemctl stop keysecure

  3. Launch the lunacm utility from /usr/safenet/lunaclient/bin/

    ksadmin@keysecure:/usr/safenet/lunaclient/bin$ ./lunacm
lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.

Available HSMs:

Slot Id ->              3
Label ->                kspart1
Serial Number ->        1442956002008
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     User Token Slot

Slot Id ->              8
Label ->                kspart1
Serial Number ->        619745
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna HSM Admin Partition (PW) Signing With Cloning Mode
Slot Description ->     Admin Token Slot
HSM Configuration ->    Luna HSM Admin Partition (PW)
HSM Status ->           L3 Device

Current Slot Id: 3

  4. If you have a PED-authenticated k570, you must deactivate the Crypto Officer role on the user partition. If you have a password authenticated k570, skip ahead to step 5.

    Warning

    This command is needed to ensure the verification string is generated correctly on recovery. Leaving the Crypto Officer in an auto-activated state will result in a verification string mismatch.
    Activated Crypto Officers display the phrase Activated with the command lunacm:>role show -n CO if you need to confirm the Crypto Officer's state.

    1. Switch to the slot number labeled with Luna User Partition in the above output. This is slot 3 in our example configuration.

      lunacm:>slot set -slot <user_partition_slot_number>

    2. Log in as the Partition Security Officer. You are prompted to present the Partition SO PED iKey.

      lunacm:>role login -n po

    3. Deactivate the Crypto Officer role.

      lunacm:>role deactivate –n Crypto Officer

  5. Backup the HSM contents, as described in Luna PCI documentation.

  6. Switch to the slot number labeled with Luna Admin Partition. This is slot 8 in our example configuration.

    lunacm:>slot set -slot <admin_partition_slot_number>

  7. Log in as the HSM Security Officer. You are prompted to enter the HSM SO password or to present the HSM SO PED key.

    lunacm:>role login -n so

  8. Set the transport mode.

    lunacm:>stm transport

You are about to configure the HSM in STM.
Are you sure you wish to continue?

Type 'proceed' to continue, or 'quit' to quit now ->proceed

Configuring the HSM for transport (may take a few seconds)...

HSM was successfully configured for transport.

Please record the displayed verification & random user strings.
These are required to recover from Secure Transport Mode.

Verification String: AAAA-AAAA-AAAA-AAAA

Random User String: BBBB-BBBB-BBBB-BBBB

  9. Record the presented Verification String and Random User String. Both are needed to recover the HSM and CipherTrust Manager.

  10. Power down the appliance, unrack it, and ship it to its destination.

  11. Transmit the verification string and random user string to the receiver of the HSM using a secure method, distinct from the transport of the physical HSM, so that it is not possible for an attacker to have access to both the HSM and the verification codes while the HSM is in STM.

To recover the CipherTrust Manager after transportation

Note

You can use Remote PED, if previously configured for the k570, to perform necessary PED operations outside the data center.

  1. Ensure you have the two strings that were presented when the HSM was placed into STM.

  2. Place the HSM into a rack and set up networking. You need SSH or console access to recover the HSM.

    Note

    You don't need to change the ksadmin password, or re-configure the HSM, as with a first installation.

  3. Login to the CipherTrust Manager as ksadmin via SSH or serial console.

  4. Launch the lunacm utility from /usr/safenet/lunaclient/bin/

    ksadmin@keysecure:/usr/safenet/lunaclient/bin$ ./lunacm
lunacm (64-bit) v7.3.0-165. Copyright (c) 2018 SafeNet. All rights reserved.

Available HSMs:

Slot Id ->              3
Label ->                kspart1
Serial Number ->        1442956002008
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna User Partition With SO (PW) Signing With Cloning Mode
Slot Description ->     User Token Slot

Slot Id ->              8
Label ->                kspart1
Serial Number ->        619745
Model ->                Luna K7
Firmware Version ->     7.0.1
Configuration ->        Luna HSM Admin Partition (PW) Signing With Cloning Mode
Slot Description ->     Admin Token Slot
HSM Configuration ->    Luna HSM Admin Partition (PW)
HSM Status ->           L3 Device

Current Slot Id: 3

  5. Switch to the slot number labeled with Luna HSM Admin Partition in the above output. This is slot 8 in our example configuration.

    lunacm:>slot set -slot <admin_partition_slot_number>

  6. If you are using a Remote PED, connect the slot to the Remote PED workstation. Otherwise, skip to the next step.

    lunacm:>ped connect -ip <remote_PED_workstation_IP> -port 1503

  7. Login as the HSM Security Officer. You are prompted to enter the HSM SO password or to present the HSM SO PED key. Remote PEDs also prompt for the orange remote PED vector key.

    lunacm:>role login -n so

  8. Run the stm recover command, providing the Random User String.

    lunacm:>stm recover -r BBBB-BBBB-BBBB-BBBB

    You are presented with the verification string.

  9. If the presented verification string matches the original verification string, type proceed to continue.

    Caution

    If the presented verification string does not match the original verification string, this indicates HSM tampering. Type quit to remain in secure transport mode. Contact Customer Support to investigate.

    Calculating the verification string (may take a few seconds)...

    Verification String: AAAA-AAAA-AAAA-AAAA

    CAUTION: You are attempting to recover the HSM from Secure Transport Mode. If the verification string does not match the one you were provided out-of-band, there may be an issue with the HSM. Type 'quit' at the prompt to remain in Secure Transport Mode.

          If the verification strings match, or if you wish to bypass this check,
      type 'proceed' to recover from Secure Transport Mode.

    Are you sure you wish to continue?

    Type 'proceed' to continue, or 'quit' to quit now ->proceed

    The CipherTrust Manager services boot up.

    For password-authenticated k570s, recovery is complete. You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.

    Login screen

    PED-authenticated k570s must have the Crypto Officer role logged in before you can access CipherTrust Manager services.

To login and reactivate the Crypto Officer Role for PED-Authenticated Devices

The Crypto Officer must be logged in before you can access CipherTrust Manager services.

Note

This login re-activates the Crypto Officer role (unless you have disabled the activation partition policies, 22 and 23, which is not recommended). The HSM caches PED credentials and allows the k570 appliance to authenticate to the HSM using only the challenge secret (password) without requiring the black PED key to always be connected to the HSM. However, in the event of a power outage of more than 2 hours, the HSM cached PED credentials will expire and the k570 appliance will fail to run its services. In this case, instruct the k570 appliance to re-authenticate with the HSM using the black PED key. You can also configure remote PED access.

  1. If you are using a local PED, simply present the black PED iKey for the Crypto Officer to the PED, as prompted on the PED screen when CipherTrust Manager services start up.

  2. If you are using a Remote PED:

    1. Switch to the slot number labeled with Luna User Partition. This is slot 3 in our example configuration.

      lunacm:>slot set -slot <user_partition_slot_number>

    2. Connect the slot to the Remote PED workstation.

      lunacm:>ped connect -ip  <remote-PED-workstation-IP> -port 1503

    3. Log in as the Crypto Officer. Provide the PED iKey, and the auto-activation password as prompted.

      lunacm:>role login -n co

  3. You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.

    Login screen

Securely Transport a Trusted Cyber Technologies (TCT) k570 Appliance

TCT k570 appliances that use PED authentication can apply Secure Transport Mode.

As part of Secure Transport Mode, you imprint one or more purple PED keys (also called Secure Recovery Keys or SRK) with a new split of the HSM's master key. You are also presented with a unique SRV verification string, which allows you to verify whether or not the HSM has been tampered while in STM. The purple PED key and verification string are required to recover the HSM and should be stored and shipped separately from the CipherTrust Manager appliance.

Advanced options for re-using an existing SRK, creating more copies of the PED key, and the MofN feature are described in the latest Luna T-Series Documentation. To access this documentation, login to the TCT Customer Support Portal, and navigate to Knowledge Base > Luna T-series.

To prepare the CipherTrust Manager for transportation

  1. Connect the PED to the appliance.

  2. Login to the CipherTrust Manager as ksadmin via serial console or SSH.

  3. Launch the lunacm utility from /usr/safenet/lunaclient/bin/

  4. Login to the HSM with hsm login.

  5. Run the command srk enable. This command performs a resplit of the MTK before moving one of the (new) splits out to your purple PED Key(s).

  6. Follow the PED prompts, introducing the purple key (*) and pressing buttons on the PED keypad.

  7. Record the SRV verification string when it is presented. This string is required to recover both the HSM and CipherTrust Manager.

  8. Run srk transport to enable secure transport mode.

    You are prompted to insert the purple PED key.

  9. Power down the appliance, unrack it, and ship it to its destination.

  10. Ship the imprinted purple SRK separately from the appliance shipment.

  11. Send the SRK verification string via another path.

To recover the CipherTrust Manager after transportation

  1. Ensure you have the purple PED key and the SRK Verification String that were presented when the HSM was placed into STM.

  2. Place the HSM into a rack and set up networking. You need SSH or console access to recover the HSM.

    Note

    You don't need to change the ksadmin password, or re-configure the HSM, as with a first installation.

  3. Login to the CipherTrust Manager as ksadmin.

    ssh -i priv_key.pem ksadmin@<IP_address>

  4. Launch the lunacm utility from /usr/safenet/lunaclient/bin/

  5. Run the command srk recover.

    The PED prompts for the SRK (purple PED Key) and shows the verification string.

  6. Compare the presented verification string with the original verification string. If they match, insert the purple PED key as prompted. If the strings do not match, the unit may have been tampered. Follow tamper recovery instructions.

  7. Run the command hsm login.

    The PED prompts for the HSM/Security Officer blue key.

  8. Run the command partition login.

    The PED prompts for the User (black) PED key.

    Recovery is complete. You can now login to the CipherTrust Manager GUI at the configured IP address, and access your keys.

    Login screen

On this page