This is an option. You can change it.
If you run the hsm show command, you might see this text under the heading "FIPS 140-2 Operation":
The HSM is NOT in FIPS 140-2 approved operation mode
There is nothing wrong with your Luna SA. The message refers to an option (HSM policy code 12) that you can select according to your needs.
Here is how it works.
The HSM is capable of a comprehensive set of cryptographic algorithms, allowing it to address the needs of a world data security market. However, some governments and agencies specify a restricted set of the available algorithms that suit their requirements or that limit the scope of testing that they are required to perform. FIPS is a very prominent set of standards in the industry, so we provide an option to exclude some algorithms from availability, so that an HSM owner can operate confidently in compliance with the FIPS 140-2 standard.
However, as technology advances and the cryptographic landscape shifts, agencies like NIST need to update their standards (like FIPS), dropping older, less effective options and adding newer ones as they become important and are vetted in the test labs. The list of FIPS-approved algorithms is subject to change.
For the most current list of FIPS approved algorithms, please visit the NIST web site at http://csrc.nist.gov/
For FIPS, you might be interested in:
For Common Criteria EAL, you can check:
For Payment Card Industry standards:
Because we make available more algorithms and mechanisms than are covered under FIPS testing and certification, we are required by the FIPS 140-2 standard to provide the option for FIPS approved algorithms only , and to warn users if they are in a mode of operation that allows non-FIPS approved algorithms.
A summary table of our supported mechanisms, and their FIPS-approved status, is at "Supported Cryptographic Mechansim Summary ".
The only difference between the two modes is that when Non-FIPS algorithms are disallowed, then you are operating in fully FIPS-compliant mode, and you have access to only the algorithms listed by NIST for the standard (the algorithms that satisfy the standard). When Non-FIPS algorithms are allowed, then you have exactly the same HSM appliance, except that it now offers you the possibility to use many more algorithms that are not FIPS 140-2 approved. This is useful where FIPS 140-2 standard is not a requirement ( in many countries and organizations around the world). That is, the HSM treats FIPS-allowed algorithms identically when in either mode, but in non-FIPS mode the HSM offers additional capability that is not available in FIPS mode.
Your choice, then, is which is more important in your situation:
Thus, whoever is setting your policy must understand that it is the FIPS standard, and not SafeNet, that decides which algorithms are permissible. You then have the option to comply or not. The appliance remains just as highly secure in either mode, but you must choose the mode that satisfies your auditors and/or your application requirements.
Other than the compliance issue, described above, the major issue is that this is a destructive policy. That is, if you change this policy, the Partitions and their contents are lost. If you have any important keys, certificates, or other material stored on the Luna HSM, you will want to back them up before changing this, or any other destructive policy.