(marked with) 
and imprinted with a domain secret. |
Home > |
|---|
A domain PED key is an iKey 1000
(marked with) and imprinted with a domain secret.
A domain PED Key (the red one) carries the key-cloning vector (the domain identifier) that allows cloning to take place among HSMs and tokens. Cloning is a secure method of copying HSM (or Partition) or token objects, such that they can be replicated between HSMs and tokens, but:
•strongly encrypted (never in the clear), and
•only between HSMs and tokens that share a cloning domain.
Cloning is the method by which secure HSM and Partition backup is possible to a Luna Backup HSM, and by which restoring is possible from a Backup HSM or token to a Luna HSM or Partition. It is also used when HSM log records and files are verified by an HSM other than the one that originally created those records.
At initialization time, the key-cloning vector is created on the HSM and imprinted onto a red PED Key, or if a desired cloning domain already exists, then the existing key-cloning vector from a red PED Key is read from that PED Key and imprinted on the HSM (or Backup token) as the HSM (or token) is initialized. HSMs and tokens that share a key-cloning vector are said to be members of a cloning domain.
An HSM or token can be a member of only one domain. To make an HSM or token become a member of a second or different domain, you must initialize the HSM or token and imprint the new key-cloning vector -- the first one is destroyed and the HSM or token is now a member of only the second domain. This action also destroys any previous content on the HSM being initialized.
To cause a Luna HSM or Partition to be a duplicate or mirror image of another, the procedure is to backup the first HSM or Partition, and then restore from the Backup token onto the new HSM (or Partition).
When you initialize an HSM, and are prompted for a red PED Key, Luna PED first asks:
If you answer [ No ]:
•You are telling Luna PED that it should retrieve a new domain (Key Cloning Vector) from the HSM and prepare to overwrite that new domain secret onto a blank key that you are about to insert, or overwrite the existing random domain vector on a red PED Key that you are about to insert.
•This was your last chance (short of aborting the procedure) to make the current HSM part of an existing cloning group. Further prompts in this sequence will give you the opportunity to remove keys that you have mistakenly offered (that have useful authentication secrets on them) and substitute another, but you get no more opportunity to change the "No" to a "Yes".
•If that red PED Key was already in use on an operational HSM (and Backup HSM), then that HSM (as well as the backup) carries the old domain and the newly overwritten red PED Key can no longer be used with it — therefore, unless you have a duplicate red PED Key with the old cloning domain (key-cloning vector), then that previous HSM cannot be backed up, and its Backup cannot be restored
If you answer [ Yes ]:
•Luna PED prepares to preserves the domain (key-cloning vector) value that it now expects to find on the red PED Key, and store it onto the HSM -- this causes the current HSM to share the domain with the previous HSM and/or Backup HSM
•With two or more HSMs (and at least one Backup HSM) sharing the same cloning domain, it is possible to clone the contents from one to another by means of backup and restore operations
Assuming that you responded [ No ], the PED asks additional preparatory questions, then asks you to insert a PED Key (which you should already have labeled with a red sticker). The PED scans the red PED Key for an existing key-cloning vector. If none is found, Luna PED imprints a new one, taken from the HSM, and that same new key-cloning vector is saved onto the HSM.
However, if an existing key-cloning vector (or other secret) is found, Luna PED needs to know whether to retain it. Luna PED asks:
If you answer Yes:
•Luna PED overwrites the existing random domain vector (or other secret) on the inserted red PED Key
•If that red PED Key was already in use on an operational HSM (and Backup token), then that HSM (as well as the token) carries the old domain and the newly overwritten red PED Key can no longer be used with it — therefore, unless you have a duplicate red PED Key with the old cloning domain (key-cloning vector), then that previous HSM cannot be backed up, and its Backup token cannot be restored
If you answer No:
•Luna PED goes back a step and asks you to "Insert a Domain PED Key", which is your opportunity to correct the mistake by removing the first PED Key and inserting either a fresh (never-imprinted PED Key, or inserting a PED Key that contains an outmoded secret (Domain, SO, User, RPV, SRV).
•Each time you insert a PED Key, during an operation that could write to the key, Luna PED tells you if it is blank or if it contains a pre-existing secret, and asks if you wish to overwrite. This continues until you insert a key and allow the PED to overwrite whatever is-or-isn't on that key, or until the operation times out.
•If two or more HSMs (and at least one Backup HSM) share the same cloning domain, it is possible to clone the contents from one to another by means of backup and restore operations
Each HSM has a domain that covers any object that can exist in the SO space - this is created at HSM initialization time. Usually objects in the SO area of the HSM are specialized keys used to facilitate HSM operations (example, masking key).
Each partition in an HSM has a domain of its own - this is created when the partition is created/initialized. Partitions contain customer-owned keys used in client operations, as well as data objects.
Objects on a partition can be cloned to another partition (whether on the same HSM or on another HSM) only if both partitions share the same domain.
In the current Luna HSM 5.x sense, one domain is like another [ there is nothing special about one firmware 6 domain versus another firmware 6 domain] and could be applied to any partition or HSM SO space. Only your security and management policies dictate how you share domains. You can segregate HSMs and partitions into clonable groups. Cloning can occur among any/all members of a group that share a domain. Cloning cannot occur between members of two different domain groups.
Any HSM SO space can have only one domain, assigned at initialization time.
Any partition can have only one domain, assigned at partition creation time. It is not possible for a partition or an SO space to be a member of more than one domain. It is possible for different partitions on the same HSM to be members of mutually exclusive domains (applies to certain Luna HSM products, only).
There is no limit to the number of partitions or HSMs that can share a common domain.
HSMs before the K6 (the HSM inside Luna SA) and G5 (the HSM for PKI with Luna SA, and the core of the Luna Backup HSM) - legacy HSMs - used an older, smaller domain secret, which is incompatible with current HSMs.
Cloning of objects between Luna HSMs requires a shared domain.
To provide a one-way migration path to move HSM objects from legacy HSMs to modern HSMs, a command partition setLegacyDomain allows an old-style domain to be linked to a new-style domain on a K6 or G5 HSM.
If you can account for all the HSMs to which you have presented your red Domain PED Key (meaning that you have maintained strict control of that red PED Key), then you know with certainty that nobody else could possibly have a copy of the sensitive keys that were created on your HSMs or partitions, or cloned to those HSMs or partitions.