Home >

Administration Guide > HSM Partitions > HSM Partitions

HSM Partitions

HSM Partitions are independent logical HSMs that reside within the SafeNet HSM inside, or attached to, your host computer or appliance. Each HSM Partition has its own data, access controls, security policies, and separate administration access for at least some roles, independent from other HSM partitions (if your HSM supports more than one). Depending on the product, the HSM can contain multiple HSM partitions, and each partition can be associated with one or more Clients. Each HSM Partition has a special administrative account or role, who manages it.

HSMs with firmware older than version 6.22.0 had three types of partitions:

the HSM administrative partition, administered by the HSM SO

the Auditor partition, accessible and administered by the HSM Auditor role, only

application partition(s) administered at a high level by the HSM SO, but administered and operated at an operational level by the User or Crypto Officer role

HSMs with firmware 6.22.0 or newer can have three types of partitions:

the HSM administrative partition, administered by the HSM SO (see Note below)

legacy-style application partition(s) administered at a high level by the HSM SO, but administered and operated at an operational level by the User or Crypto Officer role (with optional Crypto User)  

or

PPSO application partitions (requires that the PPSO capability is installed) that are created by the HSM SO, but are thereafter owned by their own local SOs, and administered and operated at an operational level by the Crypto Officer role (with optional Crypto User) - installing the PPSO capability is destructive, and requires that you re-create partitions, if you already had any.

Note:  For HSMs with firmware 6.22.0 or newer, the Auditor role does not have an independent partition, but controls an area within the HSM administrative partition. The role and its objects are not seen or touched by the HSM SO.

Operationally, there is no difference from previous releases. The only caveat is that if you update an older HSM to firmware 6.22.0 or newer, the old Audit logging stops and you must initialize the Audit user again, and configure audit logging. It is perfectly acceptable to re-use the Auditor credentials (white PED Key).

HSM Partitions can be thought of as 'safe deposit boxes' that reside within the K6 Cryptographic Engine's 'vault'. The vault itself offers an extremely high level of security for all the contents inside; additionally, each safe deposit box also has it's own security and access controls; while the bank managers might have access to the vault, they still cannot open the individual safe deposit boxes, because only the owner of the safe deposit box holds the key that opens it.

A legacy application partition was/is owned by the HSM SO, who assigns a User or Crypto Officer to handle day-to-day management of partition contents, creation, use, and destruction of keys and objects, and so on. PPSO application partitions (where HSM firmware is version 6.22.0 or newer, and the PPSO capability is applied) have their own partition SO, distinct from the HSM SO. The HSM SO initializes the HSM, sets HSM-wide policies, creates an empty application partition, and hands off complete control to whomever is to become the partition SO. Thereafter, the HSM has no oversight and can do nothing with the partition except to delete it, if that is ever required. The Partition SO then initializes the partition creating a Crypto Officer

Note:  If you are both
 - upgrading from an earlier firmware version to HSM firmware 6.22.0 (or newer)
AND
 - applying the Per-Partition SO (PPSO) capability update,
be aware that the PPSO capability update is destructive. Therefore, there is no need to re-size partitions.

Instead, to avoid unnecessary duplication of effort, you should
 - safeguard (archive) any existing partition contents,
 - then zeroize the HSM for a clean update,
 - then perform both the firmware AND capability updates,
 - and finally restore to new partitions.