General Advice on PED Key Handling

In addition to the cardinal admonitions about careful physical security and prompt, thorough backups of your HSM partitions and PED Keys, here are some practical tips to make the tasks as easy as possible.

Keep a Log

Keep careful records, both of the regular backup procedures, and of who has possession of any token and any PED Key at any time. Your records should show every hand-off or change of possession and your policy should enforce it. Proper security protocols demand that you be able to account for all primary devices (HSM Servers, tokens and PED Keys) at all times, without exception. Establish strict procedures governing when and how those devices may enter storage, be removed from storage, or change hands among users.

When performing backups and other maintenance functions (such as changing PINs on keys and HSMs), log the event, but also keep a worksheet of notes so that if the task is interrupted you can resume it without confusion or hesitancy as to which devices have been altered and which have not. To help in that regard, see the next section.

Apply Meaningful Labels

This suggestion has two aspects relating to everyday handling convenience and to the previous section, “Keep a Log”:

Apply text-string labels to your HSM Servers and tokens.
Apply physical labels to the exterior of the physical devices.

In the first case, a unique, easily identifiable word or phrase serves as a final check in lunash or at the client when you are about to perform an action that could alter an HSM, a token or its contents. You might consider a label consisting of a part (perhaps a word) that identifies the domain to which the token belongs, and another part (perhaps another word or a number) that identifies it as a particular member of that group.

The second case, physical labels, applies to HSM Servers and PED Keys.

When handling multiple HSMs and keys, it is easily possible to become confused as to which ones have been updated and which ones are yet to be updated. Worse (if you are using common administrative group PED Keys) would be restoring onto the wrong Partition or HSM Server, from a backup.

General physical handling is made easier if you have a way to identify a device visually. Easy identification facilitates log-keeping.

Do not cover or obstruct the connector end of a PED Key.

Do not permanently obscure the appliance serial number. You would want it visible in the unlikely event that you ever needed to contact SafeNet for assistance.

Keys

PED Keys have different roles. Colors help to easily distinguish the roles and you should use the labels included with the product (blue, red, black, orange, and purple) to mark PED Keys before you initialize them. The additional suggestions on this page are about applying additional labels (stickers, tags, other) of your own, to identify specific keys and key sets and where they fit in your operational scheme.

The PED Keys might further be in need of visual identifiers if you elect the M of N option, which adds several, visually-similar keys to the mix. It might be useful to identify the following:

Which keys (blue, black, red) are associated with which HSMs or Partitions or Clusters).
Which black keys are associated with which Partition and client. It normally makes sense to associate a key to a title or function, rather than to a specific person.
Which key is which in an M of N group. This is particularly useful when the SO is initializing HSMs and keys (and could be accomplished by temporary labels in that situation).

You must decide whether visual identifiers of M of N status of keys would be useful once the keys and tokens are in operation (or in backup safe storage), or whether your security requirements would prohibit such tags or markings.