|
Home > |
|---|
SafeNet HSMs are built on one of our general-purpose HSM platforms (hardware plus firmware), and then are loaded with what we call "personality", to make them into specific types of HSM with specific abilities and constraints, to suit different markets and applications. The built-in attributes are called "Capabilities" and describe what the HSM can do as it comes to you from the factory. Some capabilities are unalterable, except by re-manufacturing the HSM. Many HSM capabilities can be altered by means of HSM Policies, which coincide one-for-one with the capabilities that they alter.You can view the current HSM capabilities and policies with the hsm showpolicies command:You can change a current HSM policy in LunaSH with the hsm changepolicy command.You can change a current HSM policy in lunacm with the hsm changeHMSPolicy command.
Similarly, capabilities and policies for each HSM partition control the behavior and the security parameters of the partition.
If a capability governs a security parameter, then the respective policy can set the HSM or the HSM partition to be more restrictive than the base capability allows, but never less restrictive.
Policy change actions that materially affect the cryptographic security of the HSM or of a partition are "destructive", meaning that if you invoke a change to such a policy, all contents of the HSM (or of the partition) are destroyed. In such an event, you can create new versions of objects that were formerly on the HSM or in the partition, or you can restore from backup.
Refer to the Configuration Guide and the Administration Guide for further discussion and instruction around capabilities and policies.