Home >

Administration Guide > Capabilities and Policies > Partition Capabilities and Policies

Partition Capabilities and Policies

HSM capabilities represent pre-set or designed-in capacities of the HSM, and are displayed using the hsm showpolicies command . Policies correspond to capabilities, and represent modifications that you can apply to any capability that has a corresponding policy (some do not). The command displays the currently-applied capabilities, and then displays the currently available HSM Policies and their values.

Partition capabilities are inherited from the HSM capabilities and policies (where applicable) and, they too can be adjusted by means of partition policies.

The list that you see for your HSM depends on the type of HSM. As well, capabilities might be added if you purchase and apply a capability update to enhance your HSM.

If a capability can be modified by a policy setting, then the change is always in the direction of greater security. A policy can never relax the level of security that is set by a capability.

In some cases, a setting change must force the wiping of a partition or of the entire HSM as a security measure. Those policies are listed as "destructive". The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.

 

Partition Capability Name Partition Policy Name   Modifiable   Description

Enable private key cloning   

 

Allow private key cloning            

 

depends

 

If this is allowed, the private keys on the partition may be backed up, the HSM Admin can turn this feature on or off. The value of this capability depends on the HSM capability and policy “Enable cloning”. If this is not allowed, private keys on this partition cannot be backed up and the HSM Admin may not change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Enable private key wrapping

 

Allow private key wrapping           

 

depends

 

If this is allowed, private keys on the partition may be wrapped, and the HSM Admin can turn this feature on or off. If not allowed, private keys on the partition may not be wrapped off. This value is always set to Disallowed for all partitions on a SafeNet HSM.

Enable private key unwrapping  

Allow private key unwrapping

 

depends

 

If this is allowed, private keys may be unwrapped onto the partition, and the HSM Admin can turn this feature on or off. If not allowed, private key unwrapping is not available, and the HSM Admin cannot change this.

Enable private key masking   

Allow private key masking

depends

If this is allowed, keys on the partition can use SIM and the HSM Admin can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. The value of this capability depends on the HSM capability and policy “Enable masking”. If this is not allowed, this partition cannot participate in SIM, and the HSM Admin cannot change this.

Enable secret key cloning

Allow secret key cloning

depends

If this is allowed, secret keys on the partition can be backed up, and the HSM Admin can turn this feature on or off. (i.e. the HSM Admin may only wish to turn this feature on immediately before a scheduled backup, and then turn it off again to prevent unauthorized backup.) If this is not allowed, secret keys cannot be backed up, and the HSM Admin cannot change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Enable secret key wrapping   

Allow secret key wrapping

depends

If this is allowed, secret keys can be wrapped off the partition, and the HSM Admin can turn this feature on or off (i.e. the HSM Admin may wish to not allow secret key wrapping, in which case he/she would set the corresponding policy to “no”). If this is not allowed, the partition does not support secret key wrapping and the HSM Admin cannot change this.

Enable secret key unwrapping

Allow secret key unwrapping

depends

If this is allowed, secret keys can be unwrapped onto the partition, and the HSM Admin can turn this feature on or off. If this is not allowed, the partition does not support secret key unwrapping and the HSM Admin cannot change this.

Enable secret key masking

Allow secret key masking

depends

If this is allowed, secret keys on the partition can use SIM, and the HSM Admin can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. If it is not allowed, the partition does not support SIM.

Enable multipurpose keys   

Allow multipurpose keys

depends

If this is allowed, keys on the partition may be created for multiple purposes such as signing and decrypting, and the HSM Admin can turn this feature on or off. If not allowed, keys created on (or wrapped onto) the partition must be for single function only. (i.e. specify only one function in the attribute template).

Enable changing key attributes  

Allow changing key attributes

depends

If this is allowed, non-sensitive attributes of the keys on the partition are modifiable (i.e. the user can change the functions that the key can use), and the HSM Admin has the ability to turn this feature on or off. If not allowed, keys created on the partition cannot be modified.
This policy affects the following "key function attributes":  
CKA_ENCRYPT  
CKA_DECRYPT  
CKA_WRAP  
CKA_UNWRAP  
CKA_SIGN  
CKA_SIGN_RECOVER  
CKA_VERIFY  
CKA_VERIFY_RECOVER  
CKA_DERIVE  
CKA_EXTRACTABLE  
All other attributes are not controlled by this policy.

Allow failed challenge responses   

Ignore failed challenge responses

depends

If this is allowed, failed challenge responses (HSM Partition Passwords) will not increment the counter for X consecutive bad login attempts, and the HSM Admin can turn this feature on or off. If not allowed, failed challenge responses (HSM Partition Passwords) will increment the failed login counter. This capability/policy only pertains to HSMs that use the SafeNet PED for authentication. (The policy name is slightly different from the capability name – if the policy is on, failed challenges are ignored, which is the same as if the capability is allowed.)

Enable operation without RSA blinding  

Operate without RSA blinding

depends

 

If this is allowed, the partition may run in a mode that does not use RSA blinding (Blinding is a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance.) and the HSM Admin can turn this feature on or off. If feature is disallowed, the partition will always run in RSA blinding mode; performance will be lower than SafeNet published performance. (The policy name is slightly different from the capability name - if the policy is on, RSA blinding is not used, which is the same as if the capability is allowed.)

Enable signing with non-local keys  

Allow signing with non-local keys

 

depends

 

If this is allowed, keys that have been wrapped onto the partition may be used (trusted) for signing, and the HSM Admin can turn this feature on or off. If moving keys from software to hardware, this capability must be allowed, and the corresponding policy must be set 'on', or the keys will not be able to perform signing. If not allowed, only keys that were created locally (on the hardware) can be used for signing.

Enable raw RSA operations   

Allow raw RSA operations

 

depends

 

If this is allowed, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509), the HSM Admin can turn this feature on or off. If not allowed, the partition will not support raw RSA operations.

Max failed user logins allowed

Max failed user logins allowed

 

depends

 

The number in the capability indicates the maximum number of consecutive failed user logins allowed, as set by the partition license. The HSM Admin can set the corresponding policy to a value less than or equal to the capability value. (i.e. if the capability shows 15, the policy can be set to [1-15], although setting it to a really low number is not recommended.)

Enable high availability recovery  

Allow high availability recovery

depends

If this is allowed, another partition that is in high availability mode with this partition may be used to restore login state to this partition after power outage or other deactivation, and the HSM Admin may turn this feature on or off. If not allowed, this partition does not support the SafeNet high availability feature.

Enable activation

Allow activation

depends

If this is allowed, PED Key data for the partition may be cached so subsequent logins do not require PED Keys, and the HSM Admin may turn this feature on or off. If not allowed (or if the policy is turned off) PED Keys must be presented at each login (whether the call is local or from a client application.) This policy only applies to partitions on HSMs that use the SafeNet PED for authentication.

Enable auto-activation

Allow auto-activation

depends

If this is allowed, PED Key data for the partition may be semi-permanently cached to hard disk (encrypted) so that the partition activations status can be maintained after a short power loss, the HSM Admin can turn this feature on or off. If power stays off more than a few minutes, the key that was used to encrypt the data cached to hard disk is no longer valid, so authentication cannot be re-instated. If this capability is not allowed, the partition does not support auto-activation. This policy only applies to partition on HSMs that use the SafeNet PED for authentication

Minimum pin length (inverted: 255 - min)

Minimum pin length (inverted: 255 - min)

yes

The minimum pin length value is determined as follows. Since a policy can only be set to values that are lower (or equal to) the value in a capability, if the min pin length capability was set to 7, the policy could be set to 2, which is a less restrictive policy. This is not acceptable. So, to keep all capabilities consistent, the value of this capability must be interpreted. The formula to use is:
(max pin) - (min pin) = (capability value)
If the minimum pin length capability is set to 248, and the maximum pin length capability is set to 255, the minimum pin is
(255) - (min pin) = 248    --> solving for min pin -->   (min pin) = 255 - 248 --> min pin is --> 7
The administrator can set the policy to select a new, more restrictive minimum pin length. Continuing with the example above, assume the administrator wants to set min pin length to 10 to force better password selection. Solve for policy value in the following formula:
(max pin) - (min pin) = (policy value)  --> substituting -->  255 - 10 = (policy value)  --> solving for policy value --> policy value is 245
To set the minimum pin length to 10, the HSM Admin would change the min pin length policy to 245.
Thus, the HSM Admin would select a number less than the capability (245 is less than 255) to set the minimum pin length to a greater value.

Maximum pin length  

Maximum pin length

yes

The value here is the maximum value for the pin length. This value is used in calculating the minimum pin length, and the value in the maximum pin length policy always be greater than the value in the minimum pin length policy.

Enable Key Management Functions

Allow Key Management Functions

yes

The HSM Admin or Security Officer can disable access to any key management functions by the user - all users become "Crypto-Users" (the restricted-capability user) even if logged in as "Crypto-Officer".

Enable RSA signing without confirmation

Perform RSA signing without confirmation

yes

The HSM can perform an internal verification (confirmation) of a signing operation, in order to validate the signature. By default, that confirmation is disabled because it has a performance impact on signature operations.

Enable Remote Authentication (*)

Allow Remote Authentication

yes

Controls whether the Remote Authentication features can be used at the Partition level ("partition activate" and "partition restore") on a remote SafeNet Network HSM.

If this option is switched off but the HSM-level capability is on, then the only Remote Administration tasks that you could perform would be those requiring "hsm login" - no partition-level remote operations. (* Deprecated - Remote Admin and Remote Authentication no longer supported.)

Enable private key unmasking Allow private key unmasking Yes Remove encryption with AES 256-bit key from private key
Enable secret key unmasking Allow secret key unmasking Yes Remove encryption with AES 256-bit key from secret key
Enable RSA PKCS mechanism Allow RSA PKCS mechanism Yes  
Enable CBC-PAD (un)wrap keys of any size Allow CBC-PAD (un)wrap keys of any size Yes  
Enable private key SFF backup/restore Allow private key SFF backup/restore Yes Small Form-Factor backup/restore is a cloning operation between the current partition and an SFF token. Allow or disallow private keys to be cloned between the partition and the SFF token.
Enable secret key SFF backup/restore Allow secret key SFF backup/restore Yes Small Form-Factor backup/restore is a cloning operation between the current partition and an SFF token. Allow or disallow secret keys to be cloned between the partition and the SFF token.
Enable Secure Trusted Channel Force Secure Trusted Channel Yes Enable the use of Secure Trusted Channel (STC) for the partition. If this is enabled, you have the option to require STC for the current partition, or not.