Home >

Administration Guide > PED Key Management > Multiple or Duplicate PED Keys

Multiple or Duplicate PED Keys

The duplicate PED Key option (if you answer "YES" to the Luna PED question "Are you duplicating this PED Key?" during HSM initialization or Partition creation) permits you to issue more than one HSM Admin PED Key (duplicates) and more than one Owner PED Key per HSM Partition, as well as duplicates of any of the other PED Key roles (Domain, Remote PED, SRK, or Audit). The most common use of this feature is to make backups of each PED Key, for secure storage against possible damage to, or loss of, the primary PED Key for an HSM or token.

Your in-house procedures and working arrangements might benefit from having two or more copies of the HSM Admin or Owner PED Keys per HSM. For example, if your procedures require that each work-shift must either sign PED Keys over to the next shift, or sign them into lockup storage, then you need only the single primary PED Key in “circulation”, and you have very secure management of such keys.

However, your procedures could be somewhat less rigid. If it proves more convenient and workable to have each person carry his own PED Key(s) on his person at all times, then a copy will be needed by each person who must ever have access to any given HSM Partition, and to each person with HSM Admin privileges.

In summary, this is an option. If you need more copies of a particular PED Key, answer "YES" when you see the "Are you duplicating..." prompt. Any operation that causes Luna PED to offer the "Are you duplicating this PED Key? (YES/NO)" prompt is an opportunity to make as many more copies of that key as you wish. If you already have enough duplicates, just answer "NO" whenever you see the prompt.

The Luna PED (and the attached HSM) do not know how many copies you have made, so you are given the option every time you initialize an HSM or [re-]create a Partition, just in case you might want to create some more duplicates of the currently inserted key. You can also make copies at any time by using the onboard admin menu of the Luna PED 2.x. If your security model allows people to carry PED Keys around, this might be a good argument for imposing the use of PED PIN "something you know" secrets when initializing.