Administration & Maintenance - Managing PED Keys
This section applies to Luna HSMs with PED (Trusted Path) Authentication, only.
As indicated elsewhere, the capability to imprint “group-User” PED Keys and “duplicate-User” PED Keys, permits considerable flexibility in the use, archiving and general management of PED Keys.
The following pages address the ongoing management of PED Keys (which would normally include at least one "working" or "production" set, and at least one backup set, possibly stored off-site).
"Possible" Does Not Mean "Necessary"
When you initialize an HSM or create a Partition, Luna PED prompts you for various PED Keys and actions. Some are mandatory, some are advisable, and some are optional, depending upon your situation and requirements. Here is a quick summary:
Imprint a Blue PED Key
When an HSM is initialized, it sets up a blue Security Officer (SO) or HSM Admin authentication PED Key (two names for the same function, depending upon the industry you are in). This is the key that you will need in future, to access that HSM. This can be done in one of two ways:
OR
During initialization of an HSM, the HSM determines which blue PED Key will "unlock" the HSM in future. The HSM can create new, random authentication data and imprint that data onto a blue PED Key, or the HSM can scan an existing (previously imprinted) blue PED Key from another HSM and set the data from that older blue key as the new HSMs own "unlocking" data.
If you are new to using PED keys and your security policy allows it, you should make a duplicate copy of the blue Security Officer and red cloning domain PED Keys as backups. And please review General Advice on PED Key Handling at this time.
PED Keys and Operational Roles
Multiple or Duplicate PED Keys
Complexity When Managing PED Keys
Updating PED Key for a Backup Token
Init an HSM with Existing Domain & Shared PED Keys