Home > |
---|
Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if the HSM's cloning policy is disallowed (see HSM policy 7), partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set.
Note: If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change will be reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.
To view the partition capabilities and policy settings, use the LunaCM command partition showpolicies.
To modify partition policies, login as Partition SO and use the LunaCM command partition changepolicy -policy <policy#> -value <0/1/value>.
See partition changepolicy in the LunaCM Command Reference Guide for command syntax.
In some cases, changing a partition policy forces deletion of all cryptographic objects on the partition as a security measure. These policies are listed as destructive. Destructive policies are typically those that change the security level of the objects stored in the partition.
Use the LunaCM command partition showpolicies -verbose to check whether the policy you want to enable/disable is destructive.
The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.
# |
Partition Capability | Partition Policy | Description |
---|---|---|---|
0 |
Enable private key cloning |
Allow private key cloning Destructive: ON |
If enabled, the partition is capable of cloning cryptographic objects to another partition. This policy must be enabled to backup partitions or create HA groups. |
1 |
Enable private key wrapping |
Allow private key wrapping Destructive: ON |
Always disabled for all partitions on a SafeNet PCIe HSM. Private keys on the partition may not be wrapped off. The Partition SO cannot change this policy. |
2 |
Enable private key unwrapping |
Allow private key unwrapping |
If enabled, private keys may be unwrapped onto the partition. The Partition SO can turn this feature on or off. If disabled, private key unwrapping is not available, and the Partition SO cannot change this. |
3 |
Enable private key masking |
Allow private key masking Destructive: ON |
Always disabled. SIM has been deprecated on all current SafeNet PCIe HSMs. The Partition SO cannot change this policy. |
4 |
Enable secret key cloning |
Allow secret key cloning Destructive: ON |
If enabled, secret keys on the partition can be backed up. The Partition SO can turn this feature on or off. The Partition SO may wish to turn this feature on immediately before a scheduled backup, and then turn it off again to prevent unauthorized backup. If disabled, secret keys cannot be backed up, and the Partition SO cannot change this.. Partition backup or partition network replication is allowed for the SafeNet high availability feature. |
5 |
Enable secret key wrapping |
Allow secret key wrapping Destructive: ON |
If enabled, secret keys can be wrapped off the partition. The Partition SO can turn this feature on or off. The Partition SO may wish not to allow secret key wrapping, in which case he/she would turn off this policy. If disabled, the partition does not support secret key wrapping, and the Partition SO cannot change this. |
6 |
Enable secret key unwrapping |
Allow secret key unwrapping |
If enabled, secret keys can be unwrapped onto the partition. The Partition SO can turn this feature on or off. If disabled, the partition does not support secret key unwrapping, and the Partition SO cannot change this. |
7 |
Enable secret key masking |
Allow secret key masking Destructive: ON |
Always disabled. SIM has been deprecated on all current SafeNet PCIe HSMs. The Partition SO cannot change this policy. |
10 |
Enable multipurpose keys |
Allow multipurpose keys Destructive: ON |
If enabled, keys for multiple purposes, such as signing and decrypting, may be created on the partition. The Partition SO can turn this feature on or off. If disabled, keys created on (or unwrapped onto) the partition must specify only a single function in the attribute template. |
11 |
Enable changing key attributes |
Allow changing key attributes Destructive: ON |
If enabled, non-sensitive attributes of the keys on the partition are modifiable (the user can change the functions that the key can use). If disabled, keys created on the partition cannot be modified. This policy affects the following "key function attributes": CKA_ENCRYPT |
15 |
Allow failed challenge responses |
Ignore failed challenge responses Destructive: ON |
This policy applies to PED-authenticated SafeNet PCIe HSMs only. The Partition SO can turn the feature on or off. If enabled, failed challenge secret login attempts on an activated partition are not counted towards a partition lockout. Only failed PED key authentication attempts will increment the counter. If disabled, failed login attempts using either a PED key or a challenge secret will count towards a partition lockout. See About Activation and Auto-Activation and Failed Logins for more information. |
16 |
Enable operation without RSA blinding |
Operate without RSA blinding Destructive: ON |
If enabled, the partition may run in a mode that does not use RSA blinding (a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance). The Partition SO can turn this feature on or off. If disabled, the partition will always run in RSA blinding mode; performance will be affected. If the policy is on (set to 1), RSA blinding is not used. |
17 |
Enable signing with non-local keys |
Allow signing with non-local keys |
If a key was generated on an HSM, CKA_LOCAL is set to 1. With this policy turned off, only keys with CKA_LOCAL=1 can be used to sign data on the HSM. Keys that are imported (unwrapped) to the HSM have CKA_LOCAL explicitly set to 0, so they may not be used for signing. Cloning and SIM maintain the value of CKA_LOCAL. With this policy turned on, keys that did not originate on the HSM (CKA_LOCAL=0) may be used for signing, and their trust history is not assured. |
18 |
Enable raw RSA operations |
Allow raw RSA operations Destructive: ON |
If enabled, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509). This allows weak signatures and weak encryption. The Partition SO can turn this feature on or off. If disabled, the partition will not support raw RSA operations. |
20 |
Max failed user logins allowed |
Max failed user logins allowed |
Displays the maximum number of failed partition login attempts before the partition is locked out (see Failed Logins). The Partition SO can change the number of failed logins to a value lower than the maximum if desired. |
21 |
Enable high availability recovery |
Allow high availability recovery |
If enabled, partitions in the same HA group may be used to restore the login state of this partition after power outage or other deactivation. RecoveryLogin must be configured in advance (see role recoveryinit and role recoverylogin in the LunaCM Command Reference Guide for details. The Partition SO can turn this feature on or off. |
22 |
Enable activation |
Allow activation |
Applies only to PED-authenticated HSMs. If enabled, the black and/or gray PED key secrets may be cached, so that the CO or CU only needs the challenge secret to login. The Partition SO can turn this feature on or off. If disabled (or the policy is turned off), PED keys must be presented at each login, whether the call is local or from a client application. This policy setting is overidden and activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See SafeNet HSM Tamper Detection, and About Activation and Auto-Activation for more information. |
23 |
Enable auto-activation |
Allow auto-activation |
See Capability 22 above for a description of activation. If enabled, the black or gray PED key secrets may be encrypted and semi-permanently cached to hard disk, so that the partition's activation status can be maintained after a power loss of up to two hours. The Partition SO can turn this feature on or off. If disabled, this partition does not support auto-activation. This policy setting is overidden and auto-activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See SafeNet HSM Tamper Detection, and About Activation and Auto-Activation for more information. |
25 |
Minimum PIN length (inverted: 255 - min) |
Minimum PIN length (inverted: 255 - min) |
The absolute minimum length for a partition login PIN is 8 characters. This is displayed as a value subtracted from 256. The policy value is determined as follows: Subtract the desired minimum PIN length from 256 (the absolute maximum length), and set policy 25 to that value. 256 - (min PIN) = (policy value) For example, to set the minimum PIN length to 10 characters, the Partition SO should set the value of this policy to 246: 256 - 10 = 246 The reason for this inversion is that a policy can only be set to a value equal to or lower than the value set by its capability. If the absolute minimum PIN length was set to 8, the Partition SO would be able to set the preferred minimum to 2, a less-secure policy. The Partition SO may only change the minimum PIN length to increase security by forcing stronger passwords. |
26 |
Maximum PIN length |
Maximum PIN length |
The absolute maximum length for a partition login PIN is 255 characters. The effective maximum may be changed by the Partition SO, and must always be greater than the value of the minimum PIN length, determined by the formula in the description of policy 25 (above). |
28 |
Enable Key Management Functions |
Allow Key Management Functions Destructive: ON |
The Partition SO can disable access to any key management functions by the user - all users become Crypto Users (the restricted-capability user) even if logged in as Crypto Officer. |
29 |
Enable RSA signing without confirmation |
Perform RSA signing without confirmation Destructive: ON |
The HSM can perform an internal verification (confirmation) of a signing operation to validate the signature. This confirmation is disabled by default because it has a performance impact on signature operations. |
30 | Enable Remote Authentication | Allow Remote Authentication |
Deprecated policy - Remote Authentication is no longer supported. The feature is replaced by Remote PED. |
31 | Enable private key unmasking | Allow private key unmasking |
Remove encryption with AES 256-bit key from private key |
32 | Enable secret key unmasking | Allow secret key unmasking |
Remove encryption with AES 256-bit key from secret key |
33 | Enable RSA PKCS mechanism |
Allow RSA PKCS mechanism Destructive: ON |
|
34 | Enable CBC-PAD (un)wrap keys of any size |
Allow CBC-PAD (un)wrap keys of any size Destructive: ON |
|
35 | Enable private key SFF backup/restore |
Allow private key SFF backup/restore |
Not available in this release. |
36 | Enable secret key SFF backup/restore |
Allow secret key SFF backup/restore |
Not available in this release. |