Capabilities and Policies

The SafeNet Luna Network HSM's configuration is based on HSM capabilities, displayed using the LunaSH command hsm showpolicies. They are set at manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates.

A subset of HSM capabilities have corresponding HSM policies that allow you to customize the HSM configuration. Policies can be modified based on your specific needs. For example, you can restrict the HSM to use only FIPS-approved algorithms (FIPS mode) by setting HSM policy 12 to 1 (on).

Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if HSM policy 7 is set to disallow cloning, partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set to 1 (on).

The HSM or Partition SO can create and apply Policy Templates to initialize multiple HSMs/partitions with the same preferred policy settings.

The following sections describe individual HSM/partition capabilities and policies:

>HSM Capabilities and Policies

Setting HSM Policies Manually

Setting HSM Policies Using a Template

>Partition Capabilities and Policies

Setting Partition Policies Manually

Setting Partition Policies Using a Template

Configuring the Partition for Cloning or Export of Private Keys