Home >

Administration Guide > Capabilities and Policies > HSM Capabilities and Policies

HSM Capabilities and Policies

HSM capabilities represent pre-set or designed-in capacities of the HSM, and are displayed using the hsm showpolicies command . Policies correspond to capabilities, and represent modifications that you can apply to any capability that has a corresponding policy (some do not). The command displays the currently-applied capabilities, and then displays the currently available HSM Policies and their values.

Partition capabilities are inherited from the HSM capabilities and policies (where applicable) and, they too can be adjusted by means of partition policies.

The list that you see for your HSM depends on the type of HSM. As well, capabilities might be added if you purchase and apply a capability update to enhance your HSM.

If a capability can be modified by a policy setting, then the change is always in the direction of greater security. A policy can never relax the level of security that is set by a capability.

In some cases, a setting change must force the wiping of a partition or of the entire HSM as a security measure. Those policies are listed as "destructive". The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.

To reset the policies to their default values

With firmware 6.22.0, or later, you can use the command hsm factoryreset in the LunaCM Command Reference Guide to zeroize the HSM and reset the polices to their default values.

With pre-6.22.0 firmware, the hsm factoryreset command does not reset the policies, and they remain as configured prior to the command being invoked.

 

HSM Capability Name   HSM Policy Name Destructive Modifiable  Description  

Enable PIN-based authentication  

Allow PIN-based authentication  

-

No

If allowed, use keyboard for entering passwords. (The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.)  

Enable PED-based authentication    

Allow PED-based authentication  

 -

No  

If allowed, use the SafeNet PED (as well as the keyboard) for entering passwords (via PED Keys). The HSM Admin may never modify the corresponding policy directly. The policy is set during initialization of the HSM.  

Performance level  

-

-

-

Indicates the performance level of this HSM. The HSM Admin may never modify this capability - it has no corresponding policy. Possible levels are
15: max performance ~7000 1024-bit RSA sigs/sec
4: ~ 1700 1024-bit RSA signatures per second

Enable domestic mechanisms & key sizes  

-

 -

 -

If allowed, this SafeNet HSM is capable of full strength cryptography (i.e. no US export restrictions)

Enable masking  

Allow masking

Yes

Yes

If allowed, the SafeNet HSM is capable of SIM, and this feature can be turned on or off by the HSM Admin. If not allowed, the SafeNet HSM is not capable of SIM, and there is no way to for the HSM Admin to change this.
Needed for Small Form Factor backup.

Enable cloning  

Allow cloning

Yes

Yes

If allowed, the SafeNet HSM is capable of backup to Backup tokens, and this feature can be turned on or off by the HSM Admin. If not allowed, the SafeNet HSM is not capable of backup and there is no way for the HSM Admin to change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Enable special cloning certificate   

-

-

-

If allowed, this SafeNet HSM can have a vendor-specific cloning certificate loaded on to it. This policy is always set to not allowed on current SafeNet HSMs.

Enable full (non-backup) functionality  

-

-

-

If allowed, this SafeNet HSM can perform cryptographic functions. This policy is always set to allowed on SafeNet HSMs.

Enable ECC mechanisms  

-

-

-

If allowed, new changes to existing licenses may be done in the field. This policy is always set to not allowed on SafeNet HSMs.

Enable non-FIPS algorithms

Allow non-FIPS algorithms  

yes

yes

If allowed, the SafeNet HSM permits use of cryptographic algorithms that are not sanctioned by the FIPS 140-2 standard, the HSM Admin can select whether to permit use of those algorithms or to adhere to strict FIPS 140-2 regulations. If not allowed, the SafeNet HSM will only operate with FIPS 140-2 approved algorithms, there is no way for the HSM Admin to change this.

Enable SO reset of partition PIN   

SO can reset partition PIN

Yes

 

Yes

 

If allowed, the SafeNet HSM has the ability to either lock out users or erase them upon X consecutive bad login attempts, if the HSM Admin sets the corresponding HSM policy to “on”, users will be locked out and the HSM Admin can reset their password, if the HSM Admin sets the policy to “off”, users will be erased after X consecutive bad login attempts. If this capability is not allowed, the SafeNet HSM will always erase users after X consecutive bad login attempts, the HSM Admin may not change this.

Enable network replication   

Allow network replication   

No

 

Yes

 

If allowed, the SafeNet HSM may use the SafeNet high availability feature, and the HSM Admin may turn this feature on or off. If not allowed, the SafeNet HSM is not capable of automatic network replication for high availability. Partition backup or partition network replication is allowed for the SafeNet high availability feature. (Does not apply to SafeNet PCI.)

Enable Korean Algorithms 

No

 

Yes

 

If allowed, the SafeNet HSM may use the Korean algorithm set.

FIPS evaluated

HSM has been evaluated and validated to FIPS 140 -2 (or 3)

No

 

No

 

Deprecated - no longer used.

Manufacturing Token - - - N/A (SafeNet internal use, only)

Enable Remote Authentication (*)

Allow Remote Authentication

Yes

Yes

(* Deprecated - Remote Admin and Remote Authentication are no longer supported. The feature is replaced by Remote PED.)

Enable forcing user PIN change

Force user PIN change after set/reset

No

 

Yes

If allowed, forces the Partition User to perform a partition changePw operation whenever the SO resets the User password (or creates the User Partition). That is, the User cannot perform any other actions on the Partition until the password change is completed. The purpose is to maintain the separation of roles between the SO/HSM Admin and the Partition User/Owner.

Enable portable masking key

Allow off-board storage

No

 

Yes

Allows or disallows the use of the portable SIM key.

Enable partition groups

Allow partition groups

No

 

No

Deprecated - not supported.

Enable Remote PED usage

Allow remote PED usage

No

 

Yes

Allow authentication via remotely located SafeNet PED 2 (Remote Capable) and pedServer.

Enable external storage of MTK split

Not directly modifiable by user

-

 

-

Allows one of the splits of the MTK, the Secure Recovery Vector, to be stored outside the HSM on a purple Secure Recovery PED Key. Used for Secure Transport Mode, and for controlled/supervised recovery from tamper events. The policy associated with this capability is set automatically when the lunash command "hsm srk enable" is run. If that command is never run, or if the HSM is a password-authenticated version, then both MTK splits remain inside the HSM and recovery from tamper is automatic after restart.

HSM non-volatile storage space Not directly modifiable by user - - Shows the factory-set amount of non-volatile storage that is available on the HSM.

Enable Acceleration

Allow acceleration

Yes

 

Yes

This capability controls the mechanisms available within the HSM for key generation (RSA, DSA, KCDSA), and HAM. With the "Allow acceleration" policy switched ON, your application can choose from the full range of mechanisms supported by the HSM, for optimum performance with your application.

Enable Unmasking

Allow unmasking

Yes

 

Yes

If you “ALLOW” masking & unmasking on the HSM module(s) and the partition(s) “Private & Secret” keys you can securely migrate keys within a single appliance. where partition cloning domains match.     
If you “ALLOW” cloning on multiple appliances that also have masking & unmasking “ALLOWED” on the HSM(s) and partition(s) “Private & Secret” keys, then you can securely migrate keys with multiple appliances on the same domain.

Enable FW5 compatibility mode - - - Not applicable to SafeNet general-purpose HSMs.  
Maximum number of partitions       Shows the maximum number of application partitions that can be created on the HSM, according to factory-installed,or purchased and installed, capability upgrade.
Enable ECIES support Allow ECIES     Elliptic Curve Integrated Encryption Scheme is enabled by a purchased Capability Update. When the CUF is applied, a Policy setting becomes available to switch ECIES off and on.This is a non-FIPS algorithm. If Allow non-FIPS algorithms is set to ON, that setting overrides this one.
Enable Single Domain - - - Not applicable to SafeNet general-purpose HSMs.  
Enable Unified PED Key - - - Not applicable to SafeNet general-purpose HSMs.  
Enable MofN - - - Not applicable to SafeNet general-purpose HSMs.  
Enable small form factor backup/restore       A purchased capability update enables this capability - backup the contents of an HSM partition to a SafeNet eToken 7300, by means of a SafeNet PED.
Requires that Masking be enabled and allowed.
Enable Secure Trusted Channel Allow Secure Trusted Channel     As an HSM policy, this setting enables the use of STC by the application partitions, but does not force it.
As an application partition policy, the use of STC can be turned on, or not, for the individual application partition, but only if the HSM-wide policy is set to ON.
Enable decommission on tamper       Not applicable to SafeNet general-purpose HSMs.
Enable Per-Partition SO       Enables the capability, HSM-wide, for partitions to be created that have their own Security Officers.
Enable partition re-initialize       Not applicable to SafeNet general-purpose HSMs.