Home >

Product Overview > Configurations > Factory-installed HSM Configurations

Factory-Installed HSM Configurations

SafeNet HSMs ship from the factory in various configurations that provide different levels of authentication, performance, and key management capabilities, as detailed below. These options are selected at the time of purchase and cannot be modified. A table listing the available or supported SafeNet HSM models is provided at the end of this section.

Authentication Variants

You can purchase either a password-authenticated (FIPS 140-2 Level 2) HSM or a PED-authenticated (FIPS Level 3) HSM.

Password Authentication

Password-authenticated HSMs provide single-factor authentication for all roles, using passwords. SafeNet HSMs enforce the use of strong passwords by requiring the passwords to conform to the following rules:

minimum length of eight characters

must include characters from at least three of the following character classes:

lowercase alphabetic (abcd...xyz)

uppercase alphabetic (ABCD...XYZ). If used as the first character in the password, does not count towards the number of character classes used.

numeric (0123456789). If used as the last character in the password, does not count towards the number of character classes used.

special (non-alphanumeric, -_!@#$%&*...)

SafeNet password-authenticated HSMs are validated to FIPS 140-2 Level 2. See About Password Authentication for more information.

PED Authentication

PED-authenticated HSMs provide two-factor or multi-factor authentication for all roles, using a PED, PED Keys, and PINs. A PED is a physical device, equipped with a numerical keypad, that is securely connected to the HSM, either locally or remotely (see About the SafeNet PED). To authenticate to a PED-authenticated HSM, you require a PED Key, which is an iKey USB token, physically similar to a thumb drive. Separate PED keys are required for each role, and each role supports multi-factor authentication, which can include:

something you have (the physical PED Key, see About PED Keys)

something you know (a PED PIN, optionally associated with a PED Key, entered at the PED keypad; see What is a PED PIN?)

a further option of MofN secret splitting, per role (see About MofN)

MofN is optional split-knowledge, shared-secret access control, where the access secret for a role is split among quantity N PED Keys, with quantity M of those PED Keys required for authentication. That is, each key in an MofN context is a portion of the full role secret, and not the complete secret, thus preventing any single PED Key holder gaining unsupervised access to that role on the HSM.

SafeNet PED-authenticated HSMs are validated to FIPS 140-2 Level 3. See About PED Authentication for more information.

Key Management Variants

SafeNet HSMs store all key material in hardware. Depending on your security requirements and key management practices, you may need to move or copy key material from the HSM to a backup HSM, another HSM in the same HA group, or to a file for off-board storage or use. To support these different key management scenarios, SafeNet HSMs are available in the following key management configurations. The variants are mutually exclusive - only one variant can apply to an HSM.

Note:  The ordering code for each key management variant is indicated in parentheses, if applicable.

Cloning (CL)

A SafeNet HSM with cloning (CL) provides the following key management capabilities:

All keys/objects can be cloned to other SafeNet HSMs, or to a SafeNet Backup HSM.

All keys/objects are replicated when configured in an HA group.

Private keys cannot be wrapped off the HSM (that is, you cannot export private keys to an encrypted file).

Note:  You can clone keys/objects only between HSMs or HSM partitions that share the same cloning domain.

In the cloning configuration, the RSA private key is normally static and would reside throughout its lifetime within the HSM, for a root-key application.

Cloning With Key Export (CKE)

A SafeNet HSM with cloning with key export (CKE) provides the following key management capabilities:

All keys/objects, except private keys, can be cloned to other SafeNet HSMs or to a SafeNet Backup HSM.

All keys/objects, except private keys, are replicated when configured in an HA group.

Private keys can be wrapped off the HSM (that is, you can export private keys to an encrypted file).

CKE is normally used for smart card and identity issuance, where transient RSA key-pairs are generated, wrapped off, and issued to a user. They are not used on the HSM. They are simply generated securely, then deleted from the HSM after wrapping off.

No Backup

A SafeNet HSM with no backup provides the following key management capabilities:

Keys/objects cannot be cloned to other SafeNet HSMs or to a SafeNet Backup HSM.

Private keys cannot be wrapped off the HSM (that is, you cannot export private keys to an encrypted file).

An HSM without backup capability ensures that created/contained keys can never leave the HSM. This configuration might also be used when keys are intended to have short lifespans, and would not be expensive to replace.

Performance Variants

The SafeNet Network HSM and SafeNet PCI-E HSMs are available in low performance (1700 signings/second) or high performance (7000 signings/second) variants. The SafeNet USB HSM is available in a single performance level.

SafeNet HSM Models

The following table provides a listing of the available or supported SafeNet HSM models.

Table 1: SafeNet HSM models
Model Performance Authentication CL CKE No Backup
SafeNet Network HSM 1700 Password X X  
PED X X X
7000 Password X    
PED X   X
SafeNet PCI-E HSM 1700 Password X X  
PED X X  
7000 Password X    
PED X    
SafeNet USB HSM Password X X X
PED X X