|
Home > |
|---|
For customer applications involving large numbers of keys, that might exceed the internal flash-memory capacity of the Luna SA K6 engine, support is provided for secure external storage of keys.
For the most part, SIM functionality must be supported by custom programming. Our Software Development Kit (available separately) includes documentation and samples for Cryptoki and Java APIs.
The following characteristics apply to the SIM capability:
•SIM is a purchased capability that must be enabled when your Luna SA is manufactured. SIM cannot be implemented with a Luna SA that was not explicitly enabled for SIM.
•The database-management aspects of large numbers of externally stored keys are beyond the scope of Luna SA. Luna SA ensures the security of those keys, without reference to their management and retrieval. Such management is the responsibility of the customer's application.
•All keys that are externally stored with this feature are strongly encrypted, using symmetric keys that are never exposed outside the HSM server. Additional encryption and security measures are employed within the HSM server to afford multiple levels of security.
•All manipulations of the keys take place within protected, volatile memory inside the Luna SA K6 engine.
Note: Each Luna SA leaving the factory has a unique masking key, which is used for Secure Identity Management. To give several Luna SAs the same masking key, choose one and perform hsm -backup. Then, using that Backup HSM, perform hsm -restore onto each Luna SA that must share that masking key.
Note: When the HSM is initialized, a new masking secret is created. The new masking secret will be backed up onto a backup token if "hsm backup" is performed, but the old masking secret will continue to be used for all masking operations until the HSM is powered off.
A Luna SA with SIM enabled can support only a single HSM Partition.
WARNING! If the masking key is lost, then all extracted key material (all the keys in your database) is effectively lost as well. Therefore, perform an HSM Backup, to backup the SIM Masking Key.