Preparing the SafeNet Luna PCIe HSM to Use FMs
This section provides information on how to prepare your SafeNet Luna PCIe HSM to accept Functionality Modules (FMs). FMs require a specific factory configuration, the correct firmware version, a license upgrade, and the correct policy settings, as described below:
>Step 1: Ensure You Have FM-Ready Hardware
>Step 2: Update to Luna HSM Firmware 7.4.0 or Higher
>Step 3: Purchase and Apply the FM Capability License
>Step 4: Apply HSM Policy Settings
CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling.
If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.
Step 1: Ensure You Have FM-Ready Hardware
The FM feature requires a specific SafeNet Luna PCIe HSM hardware configuration that must be created by Thales Group at the factory. SafeNet Luna PCIe HSMs that have this configuration are "FM-ready". If your SafeNet Luna PCIe HSM is not FM-ready, contact your Thales Group representative or Thales Group Customer Support for further guidance.
Determining Whether the HSM is FM-Ready
Starting with release 7.4, all SafeNet Luna PCIe HSMs are FM-ready from the factory. HSMs shipped prior to 7.4 are not. To determine if your HSM is FM-ready, check the Product Part # on the
If the last 3-digit section of the Product Part # is 003 or higher, your HSM is FM-ready. If 002 or lower, contact your Thales Group representative or Thales Group Customer Support for guidance on how to obtain FM-ready hardware.
Step 2: Update to Luna HSM Firmware 7.4.0 or Higher
To use FMs, you require HSM firmware version 7.4.0 or higher. You can download the latest software/firmware packages from the Thales Group Support Portal (see Updating the SafeNet Luna G5 Backup HSM Firmware).
When you have completed the upgrade, you can check the output from
FM HW Status -> FM Ready Firmware Version -> 7.4.0
Step 3: Purchase and Apply the FM Capability License
To use FMs, contact your Thales Group sales representative to purchase the FM capability license.
When you have activated your license on the HSM, you can use
License Count -> 8
1. 621000068-000 K7 Base
2. 621010185-003 Key backup via cloning protocol
3. 621000134-002 Enable 32 megabytes of object storage
4. 621000135-002 Enable allow decommissioning
5. 621000021-002 Maximum performance
6. 621000138-001 Controlled tamper recovery
7. 621000154-001 Enable decommission on tamper with policy off
8. 621000074-001 Enable Functionality Modules
Step 4: Apply HSM Policy Settings
Applying the FM capability license allows you to set 4 new HSM policies that affect FMs on the SafeNet Luna PCIe HSM (see HSM Capabilities and Policies). Use
50: Allow Functionality Modules : 0 51: Allow SMFS Auto Activation : 0 52: Restrict FM Privilege Level : 0 53: Encrypt keys passing from FM to HSM : 0
HSM Policy 50: Allow Functionality Modules
With this policy enabled, Functionality Modules may be loaded to the HSM, permitting custom cryptographic operations. Allows use of the ctfm utility and FM-related commands, and the use of Functionality Modules in general with this HSM.
The HSM SO must set HSM policy 50 to 1 (ON) to use FMs on the SafeNet Luna PCIe HSM. Changing this policy (OFF-to-ON or ON-to-OFF) will zeroize the HSM and it must be re-initialized.
CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling.
If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.
NOTE After setting HSM policy 50, you must add the following entry to the Chrystoki.conf/crystoki.ini configuration file before you can re-initialize the HSM:
[Misc]
LoginAllowedOnFMEnabledHSMs=1
HSM Policy 51: Allow SMFS Auto Activation
With this policy enabled, the Secure Memory File System (SMFS) is automatically activated on startup, providing a secure, tamper-enabled location in the HSM memory where Functionality Modules can load keys and parameters. Auto-activation for SMFS, like auto-activation for PED-authenticated partitions in general, persists through a power outage of up to 2 hours duration.If disabled, the HSM SO must manually activate the SMFS each time the HSM reboots or loses power.
Thales Group recommends setting HSM policy 51 to 1 (ON) to avoid having to manually re-activate the SMFS if you need to reboot the HSM. Changing this policy destroys all existing application partitions.
HSM Policy 52: Restrict FM Privilege Level
With this policy enabled, FM privilege is restricted. By default, FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).
FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).
Unless you require CC certification, Thales Group does not recommend changing this policy from its default setting (OFF). Changing this policy destroys all existing application partitions.
HSM Policy 53: Encrypt Keys Passing from FM to HSM
With this policy enabled, keys created by an FM are encrypted before crossing from the FM to the Functionality Module Crypto Engine interface (FMCE). This internal encryption may be required to satisfy some certification requirements (such as Common Criteria).
Unless you require CC certification, Thales Group does not recommend changing this policy from its default setting (OFF). Changing this policy (OFF-to-ON or ON-to-OFF) will destroy all existing application partitions.