Home >

SDK Reference Guide > Design Considerations > About Secure Identity Management

About Secure Identity Management

For customer applications involving large numbers of keys, that might exceed the internal flash-memory capacity of the SafeNet Network HSM K6 engine, support is provided for secure external storage of keys.

For the most part, SIM functionality must be supported by custom programming. Our Software Development Kit (available separately) includes documentation and samples for Cryptoki and Java APIs.

The following characteristics apply to the SIM capability:

SIM is a purchased capability that must be enabled when your SafeNet Network HSM is manufactured. SIM cannot be implemented with a SafeNet Network HSM that was not explicitly enabled for SIM.

The database-management aspects of large numbers of externally stored keys are beyond the scope of SafeNet Network HSM. SafeNet Network HSM ensures the security of those keys, without reference to their management and retrieval. Such management is the responsibility of the customer's application.

All keys that are externally stored with this feature are strongly encrypted, using symmetric keys that are never exposed outside the HSM server. Additional encryption and security measures are employed within the HSM server to afford multiple levels of security.

All manipulations of the keys take place within protected, volatile memory inside the SafeNet Network HSM K6 engine.

Note:  Each SafeNet Network HSM leaving the factory has a unique masking key, which is used for Secure Identity Management. To give several SafeNet Enterprise HSMs the same masking key, choose one and perform hsm -backup. Then, using that Backup HSM, perform hsm -restore onto each SafeNet Network HSM that must share that masking key.

Note:  When the HSM is initialized, a new masking secret is created. The new masking secret will be backed up onto a backup token if "hsm backup" is performed, but the old masking secret will continue to be used for all masking operations until the HSM is powered off.

A SafeNet Network HSM with SIM enabled can support only a single HSM Partition.

WARNING!  If the masking key is lost, then all extracted key material (all the keys in your database) is effectively lost as well. Therefore, perform an HSM Backup, to backup the SIM Masking Key.

SafeNet PCI-E HSM 6.2 Product Documentation
007-011329-009 Rev. A 18 December 2015 Copyright 2015 Gemalto NV All rights reserved.