You are here: Administration & Maintenance Manual > HSM Administration > Secure Transport Mode and Purple PED Key > Purple Keys, Tamper, and Secure Transport

Administration

Purple PED Keys, Tamper, and Secure Transport

The use of purple PED Keys is optional unless your security policy dictates that tamper events must require a response from the HSM Admin.

The use of Secure Transport Mode (STM) is optional unless your security policy dictates that level of preparation before shipping or storage of the HSM.

If you wish to invoke Secure Transport Mode before shipping (or storing) a Luna SA appliance, you must enable the Secure Recovery Key, which moves one of the two recovery splits (secure recovery vector or SRV) [ used to recover the Master Tamper Key in case it is destroyed by a tamper event or by STM ] out of the HSM and imprints it onto a purple PED Key.

Those actions are described in detail elsewhere.

About the Purple SRK (secure recovery key)

Due to its nature, the purple PED Key (and its contained secret) behaves differently, in some respects, than all the other PED Keys.

You choose to use this feature to enhance security during shipments or to enforce certain responses in case of physical tampering of the Luna SA (once again, it is optional - you can use all other features of the HSM without ever invoking a purple PED Key). You must put safeguards in place to ensure that the SRK does not go missing [ without the purple PED Key, you cannot recover from STM or a tamper event, and must ship the appliance back to SafeNet for remanufacture ].
One of the safeguards that you can use is to make copies of the SRK at the time it is generated (*). If one of the copies is lost or destroyed, you can still recover the HSM.
Another safeguard might be to extract the SRV onto multiple SRK splits (M of N greater than 1) rather than just one. If one of the N splits is lost or destroyed, you can still recover the HSM if you can locate quantity M of the remaining splits.
As a safeguard against loss of the purple key in shipment, you do not need to ship the SRK to the site where the HSM is being installed. You can use Remote PED to perform the recovery from Secure Transport Mode ( "Secure Transport Mode [Remote]" ).

(* Unlike all other PED Keys, the purple PED Key cannot be duplicated via Luna PED's stand-alone duplication facility in the PED's Admin menu. If you attempt to do so, the PED insists that the source key you have presented is blank, and does not continue. Therefore, if you expect to need more than one copy of the SRK, you must make those duplicates when the SRK is created - either at hsm srk enable or at hsm srk keys resplit.)

Interrupted SRK Re-split Operation

It could happen that you initiate an SRK re-split operation ( "hsm srk keys resplit Command" ) and, for whatever reason, the process is interrupted. One possible reason might be that you are interrupted before you can complete the PED transaction, and when you return your attention to Luna PED, the operation has timed out.

Luna PED can be reset by simply unplugging it and then reconnecting so that it reboots.

However, the HSM - having started the re-splitting operation - is left in a non-responsive state. The following example illustrates what that looks like, and how you can get back to normal operation. Basically, if you get into that situation, you can't run any other HSM command except to reboot the appliance and then re-run the hsm srk keys resplit command. When that command completes properly, the HSM is back in normal operation and accepts other commands.

Example of recovering from interrupted re-split

[myluna] lunash:>hsm srk keys resplit

Luna PED operation required to resplit the SRK - use Secure Recovery (purple) PED key.

(This is where the operator took too long to respond and the operation timed out.)

Error: 'hsm srk keys resplit' failed. (300000 : LUNA_RET_DEVICE_ERROR)

Command Result : 65535 (Luna Shell execution)

[myluna] lunash:>

We attempt to resume the operation.

[myluna] lunash:>hsm srk keys resplit

ERROR: Secure Recovery Keys are not supported on this HSM.

Error: 'hsm srk keys resplit' failed. (C0000105 : RC_FUNCTION_NOT_SUPPORTED)

Command Result : 65535 (Luna Shell execution)

[myluna] lunash:>

But that doesn't work. Perhaps if we just log out and log back in...

[myluna] lunash:>hsm logout

Error: Unable to communicate with HSM.
Please run 'hsm supportInfo' and contact customer support.

Command Result : 65535 (Luna Shell Execution)
[myluna] lunash:>

Perhaps a reboot of the entire system.

[myluna] lunash:>sysconf appliance reboot

WARNING !! This command will reboot the appliance.

All clients will be disconnected.

If you are sure that you wish to proceed, then type 'proceed', otherwise type 'quit'

> proceed

Proceeding...

Error: Unable to establish communication with the HSM.

Contact customer support.

Broadcast message from root (pts/0) (Wed May 18 08:58:44 2011):

The system is going down for reboot NOW!

Reboot commencing

Command Result : 0 (Success).......

After a couple of minutes the appliance has restarted and is ready for use again.

[myluna] lunash:>

admin@192.20.10.300's password:

Last login: Mon Feb 66 07:43:29 2012 from 172.20.10.173

Now that reboot is done and we have logged back into the appliance, can we log into the HSM?

[myluna] lunash:>hsm login

Error: 'hsm login' failed. (80000532 : LUNA_RET_MTK_STATE_INVALID)

Command Result : 65535 (Luna Shell execution)

[myluna] lunash:>

Not just yet. Perhaps if we try the re-splitting operation again, now that the appliance and HSM are rebooted...

[myluna] lunash:>hsm srk keys resplit

Luna PED operation required to resplit the SRK - use Secure Recovery (purple) PED key.

SRK resplit succeeded.

Command Result : 0 (Success)
[myluna] lunash:>

This is looking much more hopeful.

[myluna] lunash:>hsm login

Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED Key.

'hsm login' successful.

Command Result : 0 (Success)
[myluna] lunash:>

Our HSM is entirely back in operation, and the MTK recovery key has been re-split and a new external split imprinted on a purple PED Key (SRK).

When re-split was invoked above, Luna PED would have refused to overwrite the current purple PED Keys (keys containing the currently valid Secure Recovery Vector). This is a safety feature to ensure that a valid purple key remains valid if the re-split operation is interrupted. It affects only the current purple PED Key(s). If you previously performed a re-split or disabled SRK (brought the external split back into the HSM), then those previous purple PED Keys are no longer valid and can be used as "blanks" for the re-split that you perform today.