General

This section applies to Luna HSMs with PED (Trusted Path) Authentication, only.

As indicated elsewhere, the capability to imprint “group-User” PED Keys and “duplicate-User” PED Keys, permits considerable flexibility in the use, archiving and general management of PED Keys.

The following pages address the ongoing management of PED Keys (which would normally include at least one "working" or "production" set, and at least one backup set, possibly stored off-site).

"Possible" Does Not Mean "Necessary"

When you initialize an HSM or create a Partition, Luna PED prompts you for various PED Keys and actions. Some are mandatory, some are advisable, and some are optional, depending upon your situation and requirements. Here is a quick summary:

Imprint a Blue PED Key

When an HSM is initialized, it sets up a blue Security Officer (SO) or HSM Admin authentication PED Key (two names for the same function, depending upon the industry you are in). This is the key that you will need in future, to access that HSM. This can be done in one of two ways:

the HSM can generate new, unique, random authentication data and imprint it onto a blue PED Key -- the resulting blue PED Key will now unlock that HSM, but no other
(you do this when you answer "NO" to the "reuse an existing keyset (roughly equivalent to the "Group PED Key" question on the old PED 1.x)" question from the Luna PED)

the HSM can read the authentication from a blue PED Key that was already imprinted by another HSM, and accept that data as its own -- the blue PED Key can now unlock two (or more) different Luna HSMs
(you do this when you answer "YES" to the "Reuse an existing keyset" question from Luna PED)

During initialization of an HSM, the HSM determines which blue PED Key will "unlock" the HSM in future. The HSM can create new, random authentication data and imprint that data onto a blue PED Key, or the HSM can scan an existing (previously imprinted) blue PED Key from another HSM and set the data from that older blue key as the new HSMs own "unlocking" data.

For your very first HSM, you must initialize a blue PED Key for the HSM Admin.
If this HSM is not the first; if you are creating a group of HSMs that are related in some way, then you CAN initialize a new blue PED Key for it, or you can re-use the authentication data on another blue PED Key (by deciding it will be a Group PED Key). This is your option. The HSM requires an imprinted blue PED Key when you access it, but you decide (at HSM initialization) whether that blue PED Key should be unique to this particular HSM, or shared among two or more HSMs.
Whenever you perform an initialization, the Luna PED also gives you the option to make duplicates of your important PED Keys. If you already have enough (at least one primary and at least one backup), then you can just answer "NO" to the "Copy this key" prompt. If you need more of the current type of PED Key (in this case, the blue HSM Admin PED Key), then say "YES" and continue supplying additional blank keys until you have enough duplicates.

If you are new to using PED keys and your security policy allows it, you should make a duplicate copy of the blue Security Officer and red cloning domain PED Keys as backups. And please review General Advice on PED Key Handling at this time.