|
Home > |
|---|
The HSM recognizes a number of tamper conditions (including over/under-temperature, physical interference, etc.), and allows you to choose how those are treated. The options range from simple reporting of an event in the HSM log, to temporarily (or even "permanently") disabling the HSM. In addition, the tamper function has been expanded to include Secure Transport Mode (STM) for ultimate security when shipping or storing your SafeNet HSMs. The advanced tamper features and ability to set STM are reserved for PED-authenticated SafeNet HSMs.
The use of purple PED Keys for tamper recovery is optional unless your security policy dictates that tamper events must require a response from the HSM's administrator, the Security Officer (SO).
The use of Secure Transport Mode (STM), which also uses the purple PED Key, is optional unless your security policy dictates that level of preparation before shipping or storage of the HSM.
If you wish to invoke Secure Transport Mode before shipping (or storing) a SafeNet HSM, you must enable the Secure Recovery Key (SRK). The SRK moves one of the two recovery splits (secure recovery vector or SRV ) out of the HSM and imprints it onto a purple PED Key. The recovery splits are used to recover the Master Tamper Key in case it is destroyed by a tamper event or by invocation of STM. When you move one of those splits outside the HSM, you prevent automatic, hands-off recovery from a tamper event, and instead require that a purple-PED-Key holder must intervene to allow a tampered HSM (or one that was placed in Secure Transport Mode) to recover.
Those actions are described in detail elsewhere.
Due to its nature, the purple PED Key (and its contained secret) behaves differently, in some respects, than all the other PED Keys.
•You choose to use this feature to enhance security during shipments or to enforce certain responses in case of physical tampering of the SafeNet HSM (once again, it is optional - you can use all other features of the HSM without ever invoking a purple PED Key). You must put safeguards in place to ensure that the SRK does not go missing - without the purple PED Key, you cannot recover from STM or a tamper event, and must ship the HSM back to SafeNet for re-manufacture.
•One of the safeguards that you can use is to make copies of the SRK at the time it is generated (*). If one of the copies is lost or destroyed, you can still recover the HSM.
•Another safeguard might be to extract the SRV onto multiple SRK splits (MofN greater than 1) rather than just one. If one of the N splits is lost or destroyed, you can still recover the HSM if you can locate quantity M of the remaining splits.
•As a safeguard against loss of the purple key in shipment, you do not need to ship the SRK to the site where the HSM is being installed. You can use Remote PED to perform the recovery from Secure Transport Mode. assuming that you have prepared the HSM and an orange Remote PED Key before the HSM is placed in Secure Transport Mode.
Unlike all other PED Keys, the purple PED Key cannot be duplicated via SafeNet PED's stand-alone duplication facility in the PED's Admin menu. If you attempt to do so, the PED insists that the source key you have presented is blank, and does not continue. Therefore, if you expect to need more than one copy of the SRK, you must make those duplicates when the SRK is created - either at hsm srk enable or at hsm srk keys resplit for SafeNet Network HSM, or when using the lunacm commands srk enable or srk generate for SafeNet PCI-E HSM and SafeNet USB HSM.