Security Effects of Administrative Actions
Actions that you take, in the course of administering your SafeNet Luna HSM, can have effects, including destruction, on the roles, the spaces, and the contents of your HSM and its application partition(s). It is important to be aware of such consequences before taking action.
Overt Security Actions
Some actions in the administration of the HSM, or of an application partition, are explicitly intended to adjust specific security aspects of the HSM or partition. Examples are:
>Changing a password
>Modifying a policy to make a password or other attribute more stringent than the original setting
Those are discussed in their own sections.
Actions with Security- and Content-Affecting Outcomes
Other administrative events have security repercussions as included effects of the primary action, which could have other intent. Some examples are:
>HSM factory reset
>HSM zeroization
>Change of a destructive policy
>HSM initialization
>HSM firmware rollback
>Application partition initialization
This table lists some major administrative actions that can be performed on the HSM, and compares relevant security-related effects. Use the information in this table to help decide if your contemplated action is appropriate in current circumstances, or if additional preparation (such as backup of partition content, collection of audit data) would be prudent before continuing.
Factory Reset HSM
Domain | Destroyed |
HSM SO Role | Destroyed |
Partition SO Role | Destroyed |
Auditor Role | Destroyed |
Partition Roles | Destroyed |
HSM or Partition/Contents | HSM/Destroyed |
HSM Policies | Reset |
RPV | Destroyed |
Messaging |
You are about to factory reset the HSM. All contents of the HSM will be destroyed. HSM policies will be reset and the remote PED vector will be erased. |
Zeroize HSM
Domain | Destroyed |
HSM SO Role | Destroyed |
Partition SO Role | Destroyed |
Auditor Role | Unchanged |
Partition Roles | Destroyed |
HSM or Partition/Contents | HSM/Destroyed |
HSM Policies | Unchanged |
RPV | Unchanged |
Messaging | You are about to zeroize the HSM. All contents of the HSM will be destroyed. HSM policies, remote PED vector and Auditor left unchanged. |
Change Destructive HSM Policy
Domain | Unchanged |
HSM SO Role | Unchanged |
Partition SO Role | Destroyed |
Auditor Role | Unchanged |
Partition Roles | Destroyed |
HSM or Partition/Contents | HSM/Destroyed |
HSM Policies | Unchanged except for new policy |
RPV | Unchanged |
Messaging | You are about to change a destructive HSM policy. All partitions of the HSM will be destroyed. |
HSM Initialize When Zeroized (hard init)
Domain | Destroyed |
HSM SO Role | Destroyed |
Partition SO Role | Destroyed |
Auditor Role | Unchanged |
Partition Roles | Destroyed |
HSM or Partition/Contents | HSM/Destroyed |
HSM Policies | Unchanged |
RPV | Unchanged |
Messaging | You are about to initialize the HSM. All contents of the HSM will be destroyed. |
HSM Initialize From Non-Zeroized State (soft init)
Domain | Unchanged |
HSM SO Role | Unchanged |
Partition SO Role | Destroyed |
Auditor Role | Unchanged |
Partition Roles | Destroyed |
HSM or Partition/Contents | HSM/Destroyed |
HSM Policies | Unchanged |
RPV | Unchanged |
Messaging | You are about to initialize the HSM that is already initialized. All partitions of the HSM will be destroyed. You are required to provide the current SO password. |
HSM Firmware Rollback
Domain | Destroyed |
HSM SO Role | Destroyed |
Partition SO Role | Destroyed |
Auditor Role | Destroyed |
Partition Roles | Destroyed |
HSM or Partition/Contents | HSM/Destroyed |
HSM Policies | Unchanged |
RPV | Unchanged |
Messaging |
WARNING: This operation will rollback your HSM to the previous firmware version !!! (1) This is a destructive operation. (2) You will lose all your partitions. (3) You may lose some capabilities. (4) You must re-initialize the HSM. (5) If the PED use is remote, you must re-connect it. |
Partition Initialize When Zeroized (hard init)
Domain | Unchanged |
HSM SO Role | Unchanged |
Partition SO Role | Destroyed |
Auditor Role | Unchanged |
Partition Roles | Destroyed |
HSM or Partition/Contents | Partition/Destroyed |
HSM Policies | Unchanged |
RPV | Unchanged |
Messaging | You are about to initialize the partition. All contents of the partition will be destroyed. |
Partition Initialize From Non-Zeroized State (soft init)
Domain | Unchanged |
HSM SO Role | Unchanged |
Partition SO Role | Destroyed |
Auditor Role | Unchanged |
Partition Roles | Destroyed |
HSM or Partition/Contents | Partition/Destroyed |
HSM Policies | Unchanged |
RPV | Unchanged |
Messaging | You are about to initialize the partition that is already initialized. All contents of the partition will be destroyed. You are required to provide the current Partition SO password. |
Elsewhere
Certain other actions can sometimes cause collateral changes to the HSM, like firmware update. They usually do not affect contents, unless a partition is full and the action changes the size of partitions or changes the amount of space-per-partition that is taken by overhead/infrastructure. These are discussed elsewhere.