Home >

LunaCM Command Reference Guide > LunaCM Commands > partition > partition create

partition create

Create an application partition on a locally installed or USB-connected HSM.

The command is run from the HSM administrative partition. The HSM SO must be logged in.

Syntax for command in HSM with firmware 6.22.0 or newer

partition create  [-password <string>] [-label <string>]   [-slot <number>] [-size <number>] [-domain <string>]  [-defaultdomain]  ][policyTemplate] <template name>] [-force]

Parameter Shortcut Description
-defaultdomain -def use default domain instead of a private, secure domain (deprecated; not recommended)  
-domain -d domain for cloning (Password-auth)
-force -f force the action (useful when scripting commands)  
-label -l label of the partition (declares a legacy partition - not used if "-slot" is specified)  
-password -p user role password (Password-auth)
-policyTemplate -tn policy template file to apply to the partition; useful for repetitive provisioning and deployment (see partition policytemplate and Partition Creation with Policy Template Using LunaCM )
-size -si storage size of partition (used only for HSMs supporting multiple application partitions, to specify a size other than the calculated default size - depends on HSM memory, existing application partitions, and their specifications)
-slot -sl

slot where the new partition is to be created

if "-slot" is specified, the new partition will have its own Security Officer (PSO); the PSO must initialize the partition (including assigning a label), adjust policies, initialize user roles,

specify a slot number that is not already in use, usually below the number of the HSM administrative slot from which you are running the command

not used if "-label" is specified  

Must delete old partition first

For HSMs with firmware 6.22.0 or newer, the partition creation does not overwrite an existing partition. If the HSM supports just a single application partition, and one already exists, the partition create command stops and throws the error "Error in execution : CKR_LICENSE_CAPACITY_EXCEEDED." To create a new application partition, delete the existing one first, with partition delete, then re-issue partition create.

Partition SO requires capability

The partition create command help shows the "-slot" option, and the "-label" option, which are mutually exclusive.

The "-label" option creates a legacy-style application partition that is "owned"/ administered by the HSM SO.

The "-slot" option attempts to create a partition with its own Security Officer (a separate entity from the HSM SO), but if your HSM does not contain the PSO Capability Update, then the attempt fails, and you can create only a legacy-style application partition.

In general, PSO partitions are advantageous for Network HSMs that support multiple application partitions, and confer no advantage for a PCIe HSM or USB HSM that support only a single application partition, locally administered.

Rules for names and passwords

A partition name or a partition label can include any of the following characters :

!#$%'()*+,-./0123456789:=@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~

No spaces, unless you wish to surround the name or label in double quotation marks every time it is used.
No question marks, no double quotation marks within the string.  
Minimum name or label length is 1 character. Maximum is 32 characters.

Valid characters that can be used in a password or in a cloning domain, when entered via LunaSH [1]), are:

   !#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~

(the first character in that list is the space character)
Invalid or problematic characters, not to be used in passwords or cloning domains are
"&';<>\`|()

Valid characters that can be used in a password or in a cloning domain, when entered via lunacm, are:

 !"#$%&\'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~

(the first character in that list is the space character)

Minimum password length is 7 characters; maximum is 255 characters in lunash or lunacm.  

Minimum domain string length is 1 character; maximum domain length is 128 characters via lunash.  No arbitrary maximum domain string length is enforced for domain strings entered via lunacm, and we have successfully input domain strings longer than 1000 characters in testing.  

[1] LunaSH on the SafeNet Network HSM has a few input-character restrictions that are not present in LunaCM, run from a client host. It is unlikely that you would ever be able to access, via LunaSH, a partition that received a password or domain via LunaCM, but the conservative approach would be to avoid the few "invalid or problematic characters" generally.

Syntax for command in HSM with firmware older than 6.22.0

partition create  [-password <string>]  [-domain <string>]  [-defaultdomain]  [-force]

Parameter Shortcut Description
-password -p user role password (Password-auth)
-domain -d domain for cloning (Password-auth)
-defaultdomain -def use default domain instead of a private, secure domain (deprecated; not recommended)  
-force -f force the action (useful when scripting commands)

Note:  For HSMs with firmware older than version 6.22.0, supporting just a single application partition, partition create overwrites (with a warning) any pre-existing application partition.

Example creating a legacy partition (PED-auth f/w 6.22.0 or newer)

lunacm:> slot list

        Slot Id ->              1
        Tunnel Slot Id ->       2
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            myG5pw
        HSM Serial Number ->    7001312
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.4
        HSM Configuration ->    SafeNet USB HSM (PW) Signing With Cloning Mode
        HSM Status ->           OK

        Current Slot Id: 1

Command Result : No Error

lunacm:> partition create -label mypcielegacypar

        Please attend to the PED.

Command Result : No Error

lunacm:> slot list

        Slot Id ->              0
        Tunnel Slot Id ->       2
        Label ->                mypcielegacypar
        Serial Number ->        349297122735
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition, No SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              1
        Tunnel Slot Id ->       2
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            myG5pw
        HSM Serial Number ->    7001312
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.4
        HSM Configuration ->    SafeNet USB HSM (PW) Signing With Cloning Mode
        HSM Status ->           OK

        Current Slot Id: 1

Command Result : No Error

lunacm:> 

 

Example creating a PPSO partition (PED-auth f/w 6.22.0 or newer)

lunacm:> slot list

        Slot Id ->              1
        Tunnel Slot Id ->       2
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            myG5pw
        HSM Serial Number ->    7001312
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.4
        HSM Configuration ->    SafeNet USB HSM (PW) Signing With Cloning Mode
        HSM Status ->           OK

        Current Slot Id: 1

Command Result : No Error

lunacm:> 
lunacm:> partition create -slot 0

Command Result : No Error

lunacm:> slot list

        Slot Id ->              0
        Tunnel Slot Id ->       2
        Label ->
        Serial Number ->        349297122736
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot

        Slot Id ->              1
        Tunnel Slot Id ->       2
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            myG5pw
        HSM Serial Number ->    7001312
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.4
        HSM Configuration ->    SafeNet USB HSM (PW) Signing With Cloning Mode
        HSM Status ->           OK

        Current Slot Id: 1

Command Result : No Error

lunacm:> 

 

Example creating a legacy partition (PW-auth f/w 6.10.9)

lunacm:> slot list

        Slot Id ->              1
        Tunnel Slot Id ->       2
        Label ->                mypcie6
        Serial Number ->        150022
        Model ->                K6 Base
        Firmware Version ->     6.22.0
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           OK

        Slot Id ->              3
        HSM Label ->            myG5pw
        HSM Serial Number ->    7001312
        HSM Model ->            G5Base
        HSM Firmware Version -> 6.10.4
        HSM Configuration ->    SafeNet USB HSM (PW) Signing With Cloning Mode
        HSM Status ->           OK

        Current Slot Id: 1

Command Result : No Error

lunacm:> 

lunacm:> partition showinfo

        The User has not been created.

Command Result : No Error

lunacm:> hsm login

        Option -password was not supplied.  It is required.

        Enter the password: ********

Command Result : No Error

lunacm:> partition create

        Option -password was not supplied.  It is required.

        Enter the password: ********

        Re-enter the password: ********

        Option -domain was not specified.  It is required.

        Enter the domain name: ********

        Re-enter the domain name: ********

Command Result : No Error

lunacm:> partition showinfo

        HSM Serial Number -> 7001312
        HSM Status -> OK
        Token Flags ->
                CKF_RNG
                CKF_LOGIN_REQUIRED
                CKF_USER_PIN_INITIALIZED
                CKF_RESTORE_KEY_NOT_NEEDED
                CKF_TOKEN_INITIALIZED
        RPV Initialized -> Not Available / Not Supported
        Slot Id -> 3
        Session State -> CKS_RW_PUBLIC_SESSION

        User Status-> Not Logged In

        Crypto Officer Failed Logins-> 0
        Crypto User Failed Logins->    0
        User Flags ->
                CONTAINER_KCV_CREATED
        User OUID: 1200000745010000e0d46a00

        User Storage:
                Total Storage Space:  2094996
                Used Storage Space:   0
                Free Storage Space:   2094996
                Object Count:         0

        *** The HSM is NOT in FIPS 140-2 approved operation mode. ***


        License Count -> 4
                1. 621000001-000 G5 base configuration
                1. 620139-000 Elliptic curve cryptography
                1. 620131-000 Key backup via cloning protocol
                1. 621010083-001 Performance level 15

Command Result : No Error

lunacm:>


Note:  In the examples above, for the newer firmware, slot list, before and after, showed that the application partition had been created.

For the older firmware, the creation of an application partition did not alter the slot list, so instead we show the output of partition showinfo, before the application partition is created, and then again afterward.