Capabilities and Policies

HSM capabilities describe the SafeNet PCIe HSM's configuration, and are displayed by issuing the command hsm showpolicies on the Admin partition. They are set at manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates.

HSM policies correspond to a subset of capabilities that allow you to customize the HSM functions. Policies can be modified to provide greater security based on your specific needs. For example, you can restrict the HSM to use only FIPS-approved algorithms by setting HSM policy 12.

Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if the HSM's cloning policy is disallowed (see HSM policy 7), partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set.

The following sections list and describe the HSM and partition capabilities and policies:

•HSM Capabilities and Policies

•Partition Capabilities and Policies

SafeNet PCIe HSM 6.3 Product Documentation
007-011329-012 Rev. A 14 July 2017 Copyright 2001-2017 Gemalto All rights reserved.