|
Home > |
|---|
This section applies to PED-authenticated HSMs only.
SafeNet PED and PED Keys, for HSMs that control access by PED and Keys over a secure or trusted path, bring some considerations that are not present for HSMs that control access by means of text passwords.
PED Keys all start out blank, both in terms of data content and exterior labeling. You will need to apply identifying labels for the mandatory roles:
•HSM SO (the security officer or HSM Administrator) - blue PED Key
•Partition Owner or User (or the Crypto Officer if you apply that scheme) - black PED Key
•HSM Cloning Domain and application Partition Cloning Domains - red PED Key
as well as for the optional roles/secrets if you choose to invoke them:
•Crypto User (the limited cryptographic user of partition crypto objects) - charcoal-gray PED Key
•Auditor (controls HSM audit logging) - white PED Key
•Remote PED Key (contains the RPV that allows remote use of the PED) - orange PED Key
•Secure Recover Key (contains the Secure Recovery Vector for tamper recovery or transport mode) - purple PED Key
SafeNet supplies sets of colored, printed self-stick identifying labels with each set of blank PED Keys, for your convenience.
The data/secret is imprinted on each key as part of the configuration process, and determines the identity or type of each key (regardless of what exterior label you apply).
In addition to taking on secrets to unlock various aspects of the HSM, PED Keys have options that must be decided when they are created. Because HSM and PED timeouts are involved, you have limited time to process the PED Keys for a given transaction, so you should plan your options and selections in advance.