|
Home > |
|---|
HSM capabilities describe the SafeNet Network HSM's configuration. They are set a manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates.
HSM policies correspond to a subset of capabilities that allow you to modify the HSM functions. Policies can be modified to provide greater security based on your specific needs. They can never be modified to be less secure than the corresponding capability.
To view the HSM capability and policy settings,
To modify HSM policies, login as HSM SO and use the LunaSH command hsm changepolicy-policy <policy#> -value <0/1>.
See
To zeroize the HSM and reset the policies to their default values, use hsm factoryreset.
In some cases, changing an HSM policy zeroizes all application partitions or the entire HSM as a security measure. These policies are listed as destructive.
The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.
|
# |
HSM Capability | HSM Policy | Description |
|---|---|---|---|
| 0 |
Enable PIN-based authentication |
If allowed, the HSM authenticates all users with keyboard-entered passwords. |
|
| 1 |
Enable PED-based authentication |
If allowed, the HSM authenticates users with secrets stored on physical PED keys, read by a SafeNet Luna PED. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret. |
|
| 2 |
Performance level |
|
Numerical value indicates the performance level of this HSM: •4: Standard performance ~1700 1024-bit RSA signature/second •15: Maximum performance ~7000 1024-bit RSA signatures/second |
| 4 |
Enable domestic mechanisms & key sizes |
|
Always allowed. All current SafeNet Luna HSMs are capable of full-strength cryptography with no US export restrictions. |
| 6 |
Enable masking |
Allow masking Destructive |
If enabled, the SafeNet Network HSM is capable of SIM, and this feature can be turned on or off by the HSM SO. If disabled, the SafeNet Network HSM is not
capable of SIM, and there is no way to for the HSM SO to change this. |
| 7 |
Enable cloning |
Allow cloning Destructive |
If allowed, the HSM is capable of cloning cryptographic objects from one partition to another. This policy must be enabled to backup partitions over a network or create HA groups. Partition Security Officers may then enable/disable cloning on individual partitions. |
| 8 | Enable special cloning certificate | Always disallowed on current SafeNet Network HSM. No vendor-specific cloning certificates can be loaded onto the HSM. | |
| 9 |
Enable full (non-backup) functionality |
|
If allowed, the HSM is capable of full cryptographic functions. This capability is only disallowed on SafeNet Luna Backup HSMs. |
| 12 |
Enable non-FIPS algorithms |
Allow non-FIPS algorithms Destructive |
If allowed, the HSM can use all available cryptographic algorithms. If disallowed, only algorithms sanctioned by the FIPS 140-2 standard are permitted. The following is displayed in the output from FIPS 140-2 Operation: ===================== The HSM is in FIPS 140-2 approved operation mode. |
| 15 |
Enable SO reset of partition PIN |
SO can reset partition PIN Destructive |
If allowed, a Partition SO can reset the password or PED secret of a Crypto Officer who has been locked out after too many bad login attempts. If disallowed, the lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device. See Failed Logins for more information. |
| 16 |
Enable network replication |
Allow network replication |
If allowed, cryptographic object cloning is permitted over a network. This is required for HA groups, and for partition backup to a remote or client-connected SafeNet Luna Backup HSM. If disallowed, cloning over a network is not permitted. Partition backup is possible to a locally-connected SafeNet Luna Backup HSM only. Setting this policy to 0 means that only the HSM SO can backup partitions. This capability is allowed only on cloning HSM versions, and is disallowed on Key-Export HSM versions. |
| 17 |
Enable Korean Algorithms |
Allow Korean algorithms |
If allowed, the SafeNet Network HSM can use the Korean algorithm set. This capability may be purchased as an upgrade. See Software Maintenance and Updates. |
| 18 |
FIPS evaluated |
|
Always disallowed - deprecated policy. All SafeNet Network HSMs are capable of operating in FIPS Mode. |
| 19 | Manufacturing Token | N/A (SafeNet internal use only) | |
| 20 | Enable Remote Authentication |
Allow Remote Authentication Destructive |
Deprecated policy - Remote Authentication is no longer supported. The feature is replaced by Remote PED. |
| 21 |
Enable forcing user PIN change |
Force user PIN change after set/reset |
If allowed, when a Partition SO initializes the Crypto Officer role (or resets the password/PED secret), the CO must change the credential with role changepw before any other actions are permitted. The same is true when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition. If disallowed, the CO/CU may continue to use the credential assigned by the Partition SO. |
| 22 |
Enable portable masking key |
Allow off-board storage Destructive |
Allows or disallows the use of the portable SIM key. |
| 23 |
Enable partition groups |
|
Always disallowed - deprecated policy. |
| 25 |
Enable Remote PED usage |
Allow Remote PED usage |
Always enabled on PED-authenticated SafeNet Network HSMs. All PED-authenticated HSMs are capable of connecting to a local PED or a remotely-located PED server. The HSM SO may turn this feature on or off. |
| 26 | Enable external storage of MTK split |
Allows one of the splits of the MTK, the Secure Recovery Vector, to be stored outside the HSM on a purple Secure Recovery PED Key. Used for Secure Transport Mode, and for controlled/supervised recovery from tamper events. The policy associated with this capability is set automatically when the lLunaSH command hsm srk enable is run. If that command is never run, both MTK splits remain inside the HSM and recovery from tamper is automatic after restart. Not applicable to password-authenticated SafeNet Network HSMs. |
|
| 27 | HSM non-volatile storage space |
Displays the non-volatile maximum storage space (in bytes) on the HSM. This is determined by the model of SafeNet Network HSM you selected at time of purchase. |
|
| 29 | Enable Acceleration |
Allow Acceleration Destructive |
If allowed, provides best performance for key generation (RSA,DSA, KCDSA) and HMAC operations. |
| 30 |
Enable Unmasking |
Allow unmasking |
If allowed, cryptographic material can be migrated from legacy SafeNet appliances that used SIM. |
| 31 | Enable FW5 compatibility mode | Not applicable to SafeNet Network HSMs. | |
| 33 | Maximum number of partitions |
Displays the maximum number of application partitions that can be created on the HSM. The number of allowable partitions can be upgraded with a separate purchase. See Software Maintenance and Updates for more information. |
|
| 34 | Enable ECIES support | Allow ECIES | Elliptic Curve Integrated Encryption Scheme is enabled by a purchased Capability Update. When the CUF is applied, a Policy setting becomes available to switch ECIES off and on.This is a non-FIPS algorithm. If Allow non-FIPS algorithms is set to ON, that setting overrides this one. |
| 35 | Enable Single Domain | Not applicable to SafeNet Network HSMs. | |
| 36 | Enable Unified PED Key | Not applicable to SafeNet Network HSMs. | |
| 37 | Enable MofN | Allow MofN |
If allowed on PED-authenticated SafeNet Network HSMs, this policy enables you to split a PED secret among multiple PED keys (see Using MofN). If disallowed, users will no longer be asked to split a PED secret (M and N automatically set to 1). Always disallowed on password-authenticated HSMs. |
| 38 | Enable small form factor backup/restore | Enabled by a purchased capability update - backup the contents of an HSM partition to a SafeNet eToken 7300, by means of a SafeNet PED. Requires that Masking be enabled and allowed. | |
| 39 | Enable Secure Trusted Channel | Allow Secure Trusted Channel |
If allowed, this policy enables the use of Secure Trusted Channel for partition-client connections (see Secure Trusted Channel (STC)). If disallowed, all partition-client connections must use NTLS. |
| 40 | Enable decommission on tamper |
Not applicable to SafeNet Network HSMs. |
|
| 41 | Enable Per-Partition SO | If allowed, the HSM SO can create PPSO partitions. Each PPSO partition has its own Security Officer with administrative control, allowing full separation of roles across the HSM. | |
| 42 | Enable partition re-initialize | Allow partition re-initialize |
Not applicable to SafeNet Network HSMs. |