Partition Capabilities & Policies

Description

If this is allowed, the private keys on the partition may be backed up, the HSM Admin can turn this feature on or off. The value of this capability depends on the HSM capability and policy “Enable cloning”. If this is not allowed, private keys on this partition cannot be backed up and the HSM Admin may not change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

If this is allowed, private keys on the partition may be wrapped, and the HSM Admin can turn this feature on or off. If not allowed, private keys on the partition may not be wrapped off. This value is always set to Disallowed for all partitions on a Luna HSM.

If this is allowed, private keys may be unwrapped onto the partition, and the HSM Admin can turn this feature on or off. If not allowed, private key unwrapping is not available, and the HSM Admin cannot change this.

If this is allowed, keys on the partition can use SIM and the HSM Admin can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. The value of this capability depends on the HSM capability and policy “Enable masking”. If this is not allowed, this partition cannot participate in SIM, and the HSM Admin cannot change this.

If this is allowed, secret keys on the partition can be backed up, and the HSM Admin can turn this feature on or off. (i.e. the HSM Admin may only wish to turn this feature on immediately before a scheduled backup, and then turn it off again to prevent unauthorized backup.) If this is not allowed, secret keys cannot be backed up, and the HSM Admin cannot change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

If this is allowed, secret keys can be wrapped off the partition, and the HSM Admin can turn this feature on or off (i.e. the HSM Admin may wish to not allow secret key wrapping, in which case he/she would set the corresponding policy to “no”). If this is not allowed, the partition does not support secret key wrapping and the HSM Admin cannot change this.

If this is allowed, secret keys can be unwrapped onto the partition, and the HSM Admin can turn this feature on or off. If this is not allowed, the partition does not support secret key unwrapping and the HSM Admin cannot change this.

If this is allowed, secret keys on the partition can use SIM, and the HSM Admin can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. If it is not allowed, the partition does not support SIM.

If this is allowed, keys on the partition may be created for multiple purposes such as signing and decrypting, and the HSM Admin can turn this feature on or off. If not allowed, keys created on (or wrapped onto) the partition must be for single function only. (i.e. specify only one function in the attribute template).

If this is allowed, non-sensitive attributes of the keys on the partition are modifiable (i.e. the user can change the functions that the key can use), and the HSM Admin has the ability to turn this feature on or off. If not allowed, keys created on the partition cannot be modified.
This policy affects the following "key function attributes":  
CKA_ENCRYPT  
CKA_DECRYPT  
CKA_WRAP  
CKA_UNWRAP  
CKA_SIGN  
CKA_SIGN_RECOVER  
CKA_VERIFY  
CKA_VERIFY_RECOVER  
CKA_DERIVE  
CKA_EXTRACTABLE  
All other attributes are not controlled by this policy.

If this is allowed, the HSM can use the Luna PED without using a challenge (HSM Partition Password). The corresponding policy is always set to not allowed for Luna HSMs. (i.e. Luna HSM partitions always require HSM Partition Passwords.)

If this is allowed, failed challenge responses (HSM Partition Passwords) will not increment the counter for X consecutive bad login attempts, and the HSM Admin can turn this feature on or off. If not allowed, failed challenge responses (HSM Partition Passwords) will increment the failed login counter. This capability/policy only pertains to HSMs that use the Luna PED for authentication. (The policy name is slightly different from the capability name – if the policy is on, failed challenges are ignored, which is the same as if the capability is allowed.)

If this is allowed, the partition may run in a mode that does not use RSA blinding (Blinding is a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance.) and the HSM Admin can turn this feature on or off. If disallowed, the partition will always run in RSA blinding mode; performance will be lower than SafeNet published performance. (The policy name is slightly different from the capability name - if the policy is on, RSA blinding is not used, which is the same as if the capability is allowed.)

If this is allowed, keys that have been wrapped onto the partition may be used (trusted) for signing, and the HSM Admin can turn this feature on or off. If moving keys from software to hardware, this capability must be allowed, and the corresponding policy must be set 'on', or the keys will not be able to perform signing. If not allowed, only keys that were created locally (on the hardware) can be used for signing.

If this is allowed, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509), the HSM Admin can turn this feature on or off. If not allowed, the partition will not support raw RSA operations.

The number in the capability indicates the maximum number of consecutive failed user logins allowed, as set by the partition license. The HSM Admin can set the corresponding policy to a value less than or equal to the capability value. (i.e. if the capability shows 15, the policy can be set to [1-15], although setting it to a really low number is not recommended.)

If this is allowed, another partition that is in high availability mode with this partition may be used to restore login state to this partition after power outage or other deactivation, and the HSM Admin may turn this feature on or off. If not allowed, this partition does not support the SafeNet high availability feature.

If this is allowed, PED Key data for the partition may be cached so subsequent logins do not require PED Keys, and the HSM Admin may turn this feature on or off. If not allowed (or if the policy is turned off) PED Keys must be presented at each login (whether the call is local or from a client application.) This policy only applies to partitions on HSMs that use the Luna PED for authentication.

If this is allowed, PED Key data for the partition may be semi-permanently cached to hard disk (encrypted) so that the partition activations status can be maintained after a short power loss, the HSM Admin can turn this feature on or off. If power stays off more than a few minutes, the key that was used to encrypt the data cached to hard disk is no longer valid, so authentication cannot be re-instated. If this capability is not allowed, the partition does not support auto-activation. This policy only applies to partition on HSMs that use the Luna PED for authentication

The minimum pin length value is determined as follows. Since a policy can only be set to values that are lower (or equal to) the value in a capability, if the min pin length capability was set to 7, the policy could be set to 2, which is a less restrictive policy. This is not acceptable. So, to keep all capabilities consistent, the value of this capability must be interpreted. The formula to use is:
(max pin) - (min pin) = (capability value)
If the minimum pin length capability is set to 248, and the maximum pin length capability is set to 255, the minimum pin is
(255) - (min pin) = 248    --> solving for min pin -->   (min pin) = 255 - 248 --> min pin is --> 7
The administrator can set the policy to select a new, more restrictive minimum pin length. Continuing with the example above, assume the administrator wants to set min pin length to 10 to force better password selection. Solve for policy value in the following formula:
(max pin) - (min pin) = (policy value)  --> substituting -->  255 - 10 = (policy value)  --> solving for policy value --> policy value is 245
To set the minimum pin length to 10, the HSM Admin would change the min pin length policy to 245.
Thus, the HSM Admin would select a number less than the capability (245 is less than 255) to set the minimum pin length to a greater value.

The value here is the maximum value for the pin length. This value is used in calculating the minimum pin length, and the value in the maximum pin length policy always be greater than the value in the minimum pin length policy.

The HSM Admin or Security Officer can disable access to any key management functions by the user - all users become "Crypto-Users" (the restricted-capability user) even if logged in as "Crypto-Officer".

The HSM can perform an internal verification (confirmation) of a signing operation, in order to validate the signature. By default, that confirmation is disabled because it has a performance impact on signature operations.

Controls whether the Remote Authentication features can be used at the Partition level ("partition activate" and "partition restore") on a remote Luna SA.

If this option is switched off but the HSM-level capability is on, then the only Remote Administration tasks that you could perform would be those requiring "hsm login" - no partition-level remote operations. (* Deprecated - Remote Admin and Remote Authentication no longer supported.)

Remove encryption with AES 256-bit key from private key.

Remove encryption with AES 256-bit key from secret key.

If this option is switched on, then the vulnerable mechanism CKM_RSA_PKCS PKCS#1 v1.5 is available to be used. The policy is on by default, to avoid breaking legacy applications, but we recommend switching it off to prevent its accidental use, unless you need the mechanism.

If this option is switched on, then only keys of any size can be used with CBC-PAD wrapping or unwrapping. To help reduce a known vulnerability with the mechanism, switching the policy off restricts CBC-PAD (un)wrapping to keys that are multiples of 64 bits. The policy is on by default, to avoid breaking legacy applications, but we recommend switching it off unless you need the ability to use smaller keys and accept the risk.