|
Home > |
|---|
HSM capabilities represent pre-set or designed-in capacities of the HSM, and are displayed using the hsm showpolicies command . Policies correspond to capabilities, and represent modifications that you can apply to any capability that has a corresponding policy (some do not). The command displays the currently-applied capabilities, and then displays the currently available HSM Policies and their values.
Partition capabilities are inherited from the HSM capabilities and policies (where applicable) and, they too can be adjusted by means of partition policies.
The list that you see for your HSM depends on the type of HSM. As well, capabilities might be added if you purchase and apply a capability update to enhance your HSM.
If a capability can be modified by a policy setting, then the change is always in the direction of greater security. A policy can never relax the level of security that is set by a capability.
In some cases, a setting change must force the wiping of a partition or of the entire HSM as a security measure. Those policies are listed as "destructive". The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.
With firmware 6.22.0, or later, you can use the command hsm factoryreset in the LunaCM Command Reference Guide to zeroize the HSM and reset the polices to their default values.
With pre-6.22.0 firmware, the hsm factoryreset command does not reset the policies, and they remain as configured prior to the command being invoked.
| HSM Capability Name | HSM Policy Name | Destructive | Modifiable | Description |
|---|---|---|---|---|
|
Enable PIN-based authentication |
Allow PIN-based authentication |
- |
No |
If allowed, use keyboard for entering passwords. (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.) |
|
Enable PED-based authentication |
Allow PED-based authentication |
- |
No |
If allowed, use the SafeNet PED (as well as the keyboard) for entering passwords (via PED Keys). The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM. |
|
Performance level |
- |
- |
- |
Indicates the performance level of this HSM. The HSM Admin may never
modify this capability - it has no corresponding policy. Possible levels
are |
|
Enable domestic mechanisms & key sizes |
- |
- |
- |
If allowed, this SafeNet HSM is capable of full strength cryptography (i.e. no US export restrictions) |
|
Enable masking |
Allow masking |
Yes |
Yes |
If allowed, the SafeNet HSM is capable of Scalable Key Storage, and this feature can be
turned on or off by the HSM Admin. If not allowed, the SafeNet HSM is not
capable of Scalable Key Storage, and there is no way to for the HSM Admin to change this. |
|
Enable cloning |
Allow cloning |
Yes |
Yes |
If allowed, the SafeNet HSM is capable of backup to Backup tokens, and this feature can be turned on or off by the HSM Admin. If not allowed, the SafeNet HSM is not capable of backup and there is no way for the HSM Admin to change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature. |
|
Enable special cloning certificate |
- |
- |
- |
If allowed, this SafeNet HSM can have a vendor-specific cloning certificate loaded on to it. This policy is always set to not allowed on current SafeNet HSMs. |
|
Enable full (non-backup) functionality |
- |
- |
- |
If allowed, this SafeNet HSM can perform cryptographic functions. This policy is always set to allowed on SafeNet HSMs. |
|
Enable ECC mechanisms |
- |
- |
- |
If allowed, new changes to existing licenses may be done in the field. This policy is always set to not allowed on SafeNet HSMs. |
|
Enable non-FIPS algorithms |
Allow non-FIPS algorithms |
yes |
yes |
If allowed, the SafeNet HSM permits use of cryptographic algorithms that are not sanctioned by the FIPS 140-2 standard, the HSM Admin can select whether to permit use of those algorithms or to adhere to strict FIPS 140-2 regulations. If not allowed, the SafeNet HSM will only operate with FIPS 140-2 approved algorithms, there is no way for the HSM Admin to change this. |
|
Enable SO reset of partition PIN |
SO can reset partition PIN |
Yes
|
Yes
|
If allowed, the SafeNet HSM has the ability to either lock out users or erase them upon X consecutive bad login attempts, if the HSM Admin sets the corresponding HSM policy to “on”, users will be locked out and the HSM Admin can reset their password, if the HSM Admin sets the policy to “off”, users will be erased after X consecutive bad login attempts. If this capability is not allowed, the SafeNet HSM will always erase users after X consecutive bad login attempts, the HSM Admin may not change this. |
|
Enable network replication |
Allow network replication |
No
|
Yes
|
If allowed, the SafeNet HSM may use the SafeNet high availability feature, and the HSM Admin may turn this feature on or off. If not allowed, the SafeNet HSM is not capable of automatic network replication for high availability. Partition backup or partition network replication is allowed for the SafeNet high availability feature. (Does not apply to SafeNet PCIe.) |
|
Enable Korean Algorithms |
|
No
|
Yes
|
If allowed, the SafeNet HSM may use the Korean algorithm set. |
|
FIPS evaluated |
HSM has been evaluated and validated to FIPS 140 -2 (or 3) |
No
|
No
|
Deprecated - no longer used. |
| Manufacturing Token | - | - | - | N/A (SafeNet internal use, only) |
|
Enable Remote Authentication (*) |
Allow Remote Authentication |
Yes |
Yes |
(* Deprecated - Remote Admin and Remote Authentication are no longer supported. The feature is replaced by Remote PED.) |
|
Enable forcing user PIN change |
Force user PIN change after set/reset |
No
|
Yes |
If allowed, forces the Partition User to perform a partition changePw operation whenever the SO resets the User password (or creates the User Partition). That is, the User cannot perform any other actions on the Partition until the password change is completed. The purpose is to maintain the separation of roles between the SO/HSM Admin and the Partition User/Owner. |
|
Enable portable masking key |
Allow off-board storage |
No
|
Yes |
Allows or disallows the use of the portable Scalable Key Storage key. |
|
Enable partition groups |
Allow partition groups |
No
|
No |
Deprecated - not supported. |
|
Enable Remote PED usage |
Allow remote PED usage |
No
|
Yes |
Allow authentication via remotely located SafeNet PED 2 (Remote Capable) and pedServer. |
|
Enable external storage of MTK split |
Not directly modifiable by user |
-
|
- |
Allows one of the splits of the MTK, the Secure Recovery Vector, to be stored outside the HSM on a purple Secure Recovery PED Key. Used for Secure Transport Mode, and for controlled/supervised recovery from tamper events. The policy associated with this capability is set automatically when the lunash command "hsm srk enable" is run. If that command is never run, or if the HSM is a password-authenticated version, then both MTK splits remain inside the HSM and recovery from tamper is automatic after restart. |
| HSM non-volatile storage space | Not directly modifiable by user | - | - | Shows the factory-set amount of non-volatile storage that is available on the HSM. |
|
Enable Acceleration |
Allow acceleration |
Yes
|
Yes |
This capability controls the mechanisms available within the HSM for key generation (RSA, DSA, KCDSA), and HAM. With the "Allow acceleration" policy switched ON, your application can choose from the full range of mechanisms supported by the HSM, for optimum performance with your application. |
|
Enable Unmasking |
Allow unmasking |
Yes
|
Yes |
If you “ALLOW” masking & unmasking on the HSM module(s) and the partition(s) “Private & Secret” keys you can securely migrate keys within a single appliance. where partition cloning domains match. |
| Enable FW5 compatibility mode | - | - | - | Not applicable to SafeNet general-purpose HSMs. |
| Maximum number of partitions | Shows the maximum number of application partitions that can be created on the HSM, according to factory-installed,or purchased and installed, capability upgrade. | |||
| Enable ECIES support | Allow ECIES | Elliptic Curve Integrated Encryption Scheme is enabled by a purchased Capability Update. When the CUF is applied, a Policy setting becomes available to switch ECIES off and on.This is a non-FIPS algorithm. If Allow non-FIPS algorithms is set to ON, that setting overrides this one. | ||
| Enable Single Domain | - | - | - | Not applicable to SafeNet general-purpose HSMs. |
| Enable Unified PED Key | - | - | - | Not applicable to SafeNet general-purpose HSMs. |
| Enable MofN | - | - | - | Not applicable to SafeNet general-purpose HSMs. |
| Enable small form factor backup/restore | A purchased capability update enables this capability - backup the contents of an HSM partition to a SafeNet eToken 7300, by means of a SafeNet PED. Requires that Masking be enabled and allowed. |
|||
| Enable Secure Trusted Channel | Allow Secure Trusted Channel | As an HSM policy, this setting enables the use of STC by the application partitions, but does not force it. As an application partition policy, the use of STC can be turned on, or not, for the individual application partition, but only if the HSM-wide policy is set to ON. |
||
| Enable decommission on tamper | Not applicable to SafeNet general-purpose HSMs. | |||
| Enable Per-Partition SO | Enables the capability, HSM-wide, for partitions to be created that have their own Security Officers. | |||
| Enable partition re-initialize | Not applicable to SafeNet general-purpose HSMs. |