) and leaves the HSM with 15 partitions having X bytes each, plus the large one|
Home > |
|---|
[This is supplementary information. You can create and use HSM partitions, using default parameters, without ever referring to this page. However, if you wish to adjust and control the sizes of your partitions, the information on this page might be helpful.]
The syntax of the partition create command is described in the Lunash Command Reference Guide.
The procedure is described as part of SafeNet Network HSM Configuration, password version ( Prepare to Create a Legacy Partition (Password Authenticated) ) or PED version ( Prepare to Create a Partition (PED Authenticated) ) in the Configuration Guide.
The output of the command hsm show includes information about
•the amount of HSM storage that is supported (whether it is the default non-volatile memory size, or maximum memory following a memory configuration upgrade), and
•how much of that memory is used, and how many application partitions currently exist, as well as
•the permitted maximum number of partitions.
The output of the command partition list shows
•all currently created application partitions,
•the total storage allotted to each,
•the total storage used and still unused within each partition.
That information can be helpful when you prepare to create multiple new partitions (if you have purchased upgrades beyond the default allotment), informing decisions about the sizes/capacities of partitions that you create, the possibility (or need) to revise/recreate existing partitions that have unused space, thereby allowing additional or larger new application partitions to be created, etc.
The SafeNet Network HSM supports a maximum of 100 partitions (subject to change in future versions). In use, the HSM supports only the number of partitions that are explicitly licensed, either from the factory, or by later upgrade. The upgrade is locked to the serial number of a specific HSM. Available values are 2, 10, 20, 35, 50, 75, or 100 partitions. Those partitions are divided among the available memory, with each being assigned an equal share when it is created, by default. We do not specify an exact size in bytes, because this can be affected by other features of the factory-installed configuration that you purchased, and by later changes
The basic allotment ensures that you can create all allowed partitions, each having enough space to hold (at least) an RSA key-pair.
If you don't specify an amount at partition creation, then each partition is assigned the default amount for your HSM.
You can see what that default amount is for your HSM by creating a single partition and then viewing partition information with partition show.
The default total storage space on the HSM is 2 MB, which, less partition overhead, is available for storage of objects.
A purchased upgrade (at the time the HSM is ordered, or as a customer-installed upgrade at a later date) is available, increasing the allotment to 15.5 MB of storage. If your application uses only a small amount of memory per partition, then increasing the total memory might not be necessary if you increase the partition count. However, if your application uses a significant portion of the default 2 MB when you have only 2 or 5 partitions, then when upgrading to 10, 15, 20, 50, or 100 partitions, you would likely need to increase the total memory.
Partition overheadInternal data structures, within each application partition, to accommodate cryptographic keys and other security infrastructure. Partition overhead uses up some of the non-volatile memory space that is nominally allotted to a partition - approximately 2k bytes per partition on pre-firmware-6.22.0 HSMs, and approximately 9k bytes per partition on HSMs with firmware 6.22.0 and newer. Calculations of available space for your cryptographic objects must allow for the overhead, with particular care when upgrading firmware., for HSMs with firmware older than version 6.22.0,is just slightly greater than 2 KB per partition. Partition overhead, for HSMs with firmware version 6.22.0 or newer, is approximately 9 KB per partition, and is subject to change in future releases.
You have the option, when creating any partition, to specify "-size" followed by a number of bytes, to directly set the amount of storage to be used by this partition. The HSM runs a boundary check, to determine whether that much storage space remains, and either proceeds with the partition creation, or refuses with an error message.
The upper boundary definition is defined as: F / (M - N) - O
where:
F is the free HSM space remaining,
M is the maximum number of partitions allowed on the HSM,
N is the number of existing partitions already created on the HSM, and
O is the partition overhead.
The purpose of the upper boundary is to reserve a usable share of space for future partitions that you might wish to create.
You have the option, when creating any partition, to specify "-allfreestorage", which forcibly allocates all remaining storage to that partition, without reserving any space. If you do this before you have created the maximum number of partitions (say, 20), then you are not able to create additional partitions - all the previously unallocated storage is used by the last one that you created (with -allfreestorage option), leaving none for additional partitions.
Note: If you intend to re-size partitions, or to perform a firmware update (example, from pre-6.22.0 to version 6.22.0 or newer) that alters the available space in partitions, be sure to backup the contents of your HSM first. It might be required to remove some objects from partitions that are at-or-near capacity. They can be restored after all re-sizing and new-partition creation has finished.
The command partition resize has the "-size" and "-allfreestorage" options that work as described for partition create, above, with these constraints:
•The "-size" option allows you to increase the size of the application partition if space is available.
•The "-size" option does not allow you to decrease the application partition size to less than the current free space available - that constraint ensures that no partition objects are lost. If you wish to further decrease the size of a partition, you must intentionally delete objects from it until the remaining objects occupy no more space than the desired partition size.
•For the partition resize command, you must specify either "-size" or "-allfreestorage"; those options are mutually exclusive.
If you need twenty partitions on your HSM, then you must create twenty partitions (assuming that you have purchased that capability), and their size is constrained by the available storage space - about 100,000 bytes per partition for an HSM with 2 MB of storage, or about 3/4 of a megabyte per partition for an HSM with 15.5 MB of storage.
However, you might prefer a smaller number of partitions, each having more space allocated.
With the maximum number of partitions that you will need, and their sizes, you can do the arithmetic and simply create each partition with the "-size" option, taking care to not exceed the total space available. The HSM creates your partitions with your specified sizes, except that the last partition is constrained by the boundary calculation to leave enough room for 20-x minimal partitions (that is, twenty minus x where x is the number of large partitions that you want). This wastes some storage that could otherwise be allocated to that last large partition.
You can get around that limitation by creating x-1 partitions (where x is the number you desire in total) using the "-size" option, and then creating your last partition with "-allfreestorage" specified instead.
So if, for example, you create four partitions in total, using the above suggestion, the assumption is that you are confident you will never need more than four, and can safely use up all storage for just those four.
If you prefer to have all your partitions sized equally, and to let the HSM do the calculations, the following procedure might be of some value.
In this example, create four equal-size partitions, using all the storage possible:
- start by creating 20 partitions (the maximum allowed) – each will have X bytes available to it
- delete 4 of them (leaving 16)
- resize one partition to use “-allfreestorage”, which makes that partition large (as large as five small partitions ) and leaves the HSM with 15 partitions having X bytes each, plus the large one
- delete another four small partitions
- resize one small partition to use “-allfreestorage”, which makes that partition large (there are now two large partitions ) and leaves the HSM with 10 partitions having X bytes each, plus the two large ones
- delete another four small partitions
- resize one small partition to use “-allfreestorage”, which makes that partition large (there are now three large partitions ) and leaves the HSM with 5 partitions having X bytes each, plus the three large ones
- delete another four small partitions
- resize the single remaining small partition to use “-allfreestorage”, which makes that partition large and leaves 0 (zero) of the original partitions with X bytes each, and the four large partitions of equal size, and no unallocated space on the HSM.
For the example, we chose conveniently round numbers. You might have a few bytes left over, or one partition slightly larger or smaller than the others, depending on the actual configuration of your HSM.