Show the Table of Contents

Administration

Secure Transport Mode [Remote]

This topic describes what to do if you wish to invoke Secure Transport Mode (STM) on a remote Luna SA HSM, when shipping the appliance:

• to your customer or
• to your partner organization or
• to your own personnel at another site within your organization,

That is, as the appliance administrator and the HSM Admin or SO, you are not present when Secure Transport Mode is invoked and the appliance is packed for shipment, and you are not present at its destination when the appliance is unpacked and readied for use.

On-site technical personnel are performing the physical take-down, packing, unpacking and setup, but you remain at your remote location, administering the appliance and HSM via SSH and controlling access via Remote PED.

You could also use STM for securely storing the HSM, where "transport" would take place simply into, and later out of, your warehouse or vault. However, you would also need to manage separate secure storage and handling of the imprinted purple PED Key (SRK) for that HSM until it was time to recover the HSM and return it to service.

This page applies to PED Authenticated HSMs only. It does not apply to Password Authenticated HSMs.
This page assumes that you have a remote-capable Luna PED 2 (Remote Capable), and associated pedserver.exe software installed on your local-to-you computer.

You have already set up the Luna SA for Remote PED operation, before you shipped it to its current remote location - that is, you imprinted the HSM and an orange PED Key with the Remote PED Vector (RPV), and you have that orange key available.

BACKUP

If the HSM contents are of any value, perform backups of your partitions before you continue with Secure Transport Mode procedure ( "Backup your HSM Partition Remotely" ).

Make a Remote PED Connection

First, using an ssh session, display the current status of the remotely located Luna SA, to know your starting point.

[192.168.9.72] lunash:>hsm ped show

Ped Client Version 1.0.5 (10005)

Ped Client launched in status mode.

Ped PedClient is not currently running.

Show command passed.

Command Result : 0 (Success)

[192.168.9.72] lunash:>

Start pedServer.exe on your local computer.

Via SSH, tell the Remote PED Client on the Luna SA to find and connect to the PED Server (pedServer.exe) on the selected computer - most likely the computer where you are currently working.

[192.168.9.72] lunash:>hsm ped connect -ip 192.168.10.175 -port 1503

Luna PED operation required to connect to Remote PED - use orange PED key(s).

Ped Client Version 1.0.5 (10005)

Ped Client launched in startup mode.

Starting background process

Background process started

Ped Client Process created, exiting this process.

Command Result : 0 (Success)

[192.168.9.72] lunash:>

Confirm that the link is established.

[192.168.9.72] lunash:>

[192.168.9.72] lunash:>hsm ped show

Ped Client Version 1.0.5 (10005)

Ped Client launched in status mode.

Ped Client is connected to a Ped Server.

Show command passed.

Command Result : 0 (Success)

[192.168.9.72] lunash:>

Check SRK status

[192.168.9.72] lunash:>hsm srk show

Secure Recovery State flags:

=================================

External split enabled:      no

SRK resplit required:        no

Hardware tampered:           no

Transport mode:              no

Command Result : 0 (Success)

Enable SRK

192.168.9.72] lunash:>hsm srk enable

Luna PED operation required to enable external SRK split - use Secure Recovery (purple) PED key.

In RemotePED, answer the following prompts:

M value (1-16)

N value (M-16)

Insert a SRK PED key and press ENTER

This PED Key is for SRK, overwrite? Yes/No

**warning** Are you sure you want to overwrite this PED Key? Yes/No

Enter new PED PIN:

Confirm new PED PIN:

Are you duplicating this keyset? (Y/N)

PED shows “STM Enabled”

Command Result : 0 (Success)

[192.168.9.72] lunash:>hsm srk show

Secure Recovery State flags:

=================================

External split enabled:      yes

SRK resplit required:        no

Hardware tampered:           no

Transport mode:              no

Command Result : 0 (Success)

Enter Secure Transport Mode

[192.168.9.72] lunash:>hsm srk transportMode enter

CAUTION:  You are about configure the HSM in transport mode.

If you proceed, the HSM will be inoperable until it

is recovered with the Secure Recovery Key.

Type 'proceed' to continue, or 'quit' to quit now.

> proceed

Configuring the HSM for transport mode...

Luna PED operation required to enter transport mode - use Secure Recovery (purple) PED key.

Be sure to record the verification string that is displayed after the MTK is zeroized.

In RemotePED, answer following prompts:

   Insert a SRK PED key and press ENTER

   Generating a verify string ECSK-W7xT-Ep9E-psGb, Continue? (Y/N)

PED shows “SRK was zeroized”

HSM is now in Transport Mode.

Command Result : 0 (Success)

[192.168.9.72] lunash:>hsm srk show

Secure Recovery State flags:

=================================

External split enabled:      yes

SRK resplit required:        no

Hardware tampered:           no

Transport mode:              yes

Command Result : 0 (Success)

At this point, pack the HSM appliance and ship to your eventual recipient via the most secure means (courier) available.

The options now are:

• You keep the purple PED Key and the verification string and ship only the HSM - you will perform the recovery from your administrative location, once the HSM is installed at the remote location. This would be the situation if you were shipping within your organization and retaining control centrally, or if you were shipping to a customer who is leasing the equipment, but you are retaining ultimate administrative control.
  OR
  
• You have remotely configured and administered the HSM, while personnel at your own remote location did the physical work to make connections, then they disconnected the HSM when you finished accessing it, and packed it for shipment. From that transshipment point, the HSM is now being forwarded to your customer, who will take over complete responsibility.

If you keep control

In the first scenario, you retain all PED Keys and will perform further administrative actions from your location when the HSM reaches its new destination - you retain control; you manage the physical security of the purple PED Key and the verification string, which you will use when you perform STM recovery remotely (below).

The subsequent instructions on this page assume this scenario, where you have remotely set the HSM into Secure Transport Mode, and you will be remotely taking the HSM out of Secure Transport Mode, once it has arrived at its next location and been set up.

If you transfer control

In the second scenario, you relinquish administrative control of the HSM, so you ship the purple PED Key and the verification string to the eventual owners/administrators of the HSM.

• Send the HSM to your recipient by the most secure means available.
• Send the purple PED Key, from the above steps, to your recipient via a different carrier (courier, post, other).
• Send the verification string that you just recorded (above) to your recipient by yet another means.

In this way, you are ensuring that the three components (HSM, purple PED Key, and verification string for that specific PED Key) cannot be brought together between the time they leave your hands and the time that they arrive (separately) at the recipient destination.

In this scenario, your recipient should also have this Help, and they can decide whether to use the local instructions or the remote instructions (below) to bring the received HSM out of Secure Transport Mode.

What if someone makes a new SRK while the HSM is in Transport Mode?

The HSM refuses to allow such action. Here is an example of an attempt, and the result.

SRK Resplit (attempt) while HSM is in Transport Mode

[192.168.9.72] lunash:>hsm srk keys resplit

Error:  The Secure Recovery Key cannot be resplit when the HSM is in 
tranport mode or tampered.  Use the recover command to restore 
the HSM to a functional state.

Error:  'hsm srk keys resplit' failed. (C0000400 : RC_TOKEN_STATE_INVALID)

Command Result : 65535 (Luna Shell execution)

SRK Key verify (attempt) while HSM in Transport Mode

[192.168.9.72] lunash:>hsm srk keys verify

Error:  The SRK cannot be verified when the HSM is in transport mode 
or tampered.  Use the recover command to restore the 
HSM to a functional state.

Error:  'hsm srk keys verify' failed. (C0000400 : RC_TOKEN_STATE_INVALID)

Command Result : 65535 (Luna Shell execution)

At the destination, recover from Secure Transport Mode

[192.168.9.72] lunash:>hsm srk transportMode recover

Attempting to recover from Transport Mode...

Luna PED operation required to recover the HSM - use Secure Recovery (purple) PED key.

In RemotePED, respond to the following prompts as appropriate:

   Insert a    
   SRK PED key and 
   press ENTER

   Generating a verify string    
   ECSK-W7xT-Ep9E-psGb, 
   Continue? (Y/N)

Luna PED shows “SRK was restored” and lunash command line shows:

Successfully recovered from transport mode.

HSM restored to normal operation.

Command Result : 0 (Success)

[192.168.9.72] lunash:>hsm srk show

Secure Recovery State flags:

=================================

External split enabled:      yes

SRK resplit required:        no

Hardware tampered:           no

Transport mode:              no

Command Result : 0 (Success)

SRK key resplit

Having received and unlocked your HSM, you might now prefer to invalidate the current SRK and create a new external split for future use.

[192.168.9.72] lunash:>hsm srk keys resplit

Luna PED operation required to resplit the SRK - use Secure Recovery (purple) PED key.

In RemotePED, answer following question accordingly:

Insert a SRK PED key and press ENTER

   M value (1-16)

   N value (M-16)

   Insert a 
   SRK PED key and 
   press ENTER (insert old SRK key here)

   This PED Key is for SRK, 
   overwrite? Yes/No

Note, you see the above message if the key that you present has previously been imprinted with a Secure Recovery Vector.

**warning** Are you sure you want to overwrite this PED Key? Yes/No

Enter new PED PIN:

Confirm new PED PIN:

Are you duplicating this keyset? (Y/N)

Ped shows “SRK was resplit”

SRK resplit succeeded.

Command Result : 0 (Success)

[192.168.9.72] lunash:>hsm srk show

Secure Recovery State flags:

=================================

External split enabled:      yes

SRK resplit required:        no

Hardware tampered:           no

Transport mode:              no

Command Result : 0 (Success)

Verify the new SRK

[192.168.9.72] lunash:>hsm srk keys verify

Luna PED operation required to verify the SRK split - use Secure Recovery (purple) PED key.

On the Remote PED, respond to the prompts:

Insert a SRK PED key and press ENTER

PED shows “SRK was restored”

SRK verified.

Command Result : 0 (Success)

[192.168.9.72] lunash:>hsm srk show

Secure Recovery State flags:

=================================

External split enabled:      yes

SRK resplit required:        no

Hardware tampered:           no

Transport mode:              no

Command Result : 0 (Success)

SRK disable

This section shows how to disable SRK - returning the external split (Secure Recovery Vector) of the Master Key from its location on the external purple PED Key to a location inside the HSM. After this action, Secure Transport Mode is not possible unless you Enable again. Also, with the two recovery splits held inside the HSM, the HSM can recover from a physical tamper event with only a reboot.

[192.168.9.72] lunash:>hsm srk disable

Luna PED operation required to disable external SRK split - use Secure Recovery (purple) PED key.

In RemotePED, respond to the following prompts:

   Insert a 
   SRK PED key and 
   press ENTR

Luna PED shows “STM Disabled”

Command Result : 0 (Success)

[192.168.9.72] lunash:>hsm srk show

Secure Recovery State flags:

=================================

External split enabled:      no

SRK resplit required:        no

Hardware tampered:           no

Transport mode:              no

Command Result : 0 (Success)

[192.168.9.72] lunash:>

See Also

Show the Table of Contents