Home >

Administration Guide > PED Key Management > PED Key Management Overview

PED Key Management Overview

This section applies to SafeNet HSMs with PED (Trusted Path) Authentication, only.

As indicated elsewhere, the capability to imprint “group-User” PED Keys and “duplicate-User” PED Keys, permits considerable flexibility in the use, archiving and general management of PED Keys. For any role on the HSM, options like "group"/reuse, MofN, or the use of PED PINs (second factor of two-factor authentication) are imposed, or not, at the time the role is created.

The following pages address the ongoing management of PED Keys (which would normally include at least one "working" or "production" set, and at least one backup set, possibly stored off-site).

"Possible" Does Not Mean "Necessary"

When you initialize an HSM or create a Partition, SafeNet PED prompts you for various PED Keys and actions. Some are mandatory, some are advisable, and some are optional, depending upon your situation and requirements. Here is a quick summary:

Imprint a Blue PED Key

When an HSM is initialized, it sets up a blue Security Officer (SO) or HSM Administrator authentication PED Key (two names for the same function, depending upon the industry you are in). This is the key that you will need in future, to access that HSM. This can be done in one of two ways:

the HSM can generate new, unique, random authentication data and imprint it onto a blue PED Key -- the resulting blue PED Key will now unlock that HSM, but no other
(you do this when you answer "NO" to the "reuse an existing keyset (roughly equivalent to the "Group PED Key" question on the old PED 1.x)" question from the SafeNet PED)

OR

the HSM can read the authentication from a blue PED Key that was already imprinted by another HSM, and accept that data as its own -- the blue PED Key can now unlock two (or more) different SafeNet HSMs
(you do this when you answer "YES" to the "Reuse an existing keyset" question from SafeNet PED)

During initialization of an HSM, the HSM determines which blue PED Key will "unlock" the HSM in future. The HSM can create new, random authentication data and imprint that data onto a blue PED Key, or the HSM can scan an existing (previously imprinted) blue PED Key from another HSM and set the data from that older blue key as the new HSMs own "unlocking" data.

For your very first HSM, you must initialize a blue PED Key for the HSM Admin.

If this HSM is not the first; if you are creating a group of HSMs that are related in some way, then you CAN initialize a new blue PED Key for it, or you can re-use the authentication data on another blue PED Key (by deciding it will be a Group PED Key). This is your option. The HSM requires an imprinted blue PED Key when you access it, but you decide (at HSM initialization) whether that blue PED Key should be unique to this particular HSM, or shared among two or more HSMs.

Whenever you perform an initialization, the SafeNet PED also gives you the option to make duplicates of your important PED Keys. If you already have enough (at least one primary and at least one backup), then you can just answer "NO" to the "Are you duplicating this key" prompt. If you need more of the current type of PED Key (in this case, the blue HSM Admin PED Key), then say "YES" and continue supplying additional blank keys until you have enough duplicates.

Note:  If you are new to using PED keys and your security policy allows it, you should make a duplicate copy of the blue Security Officer and red cloning domain PED Keys as backups. See General Advice on PED Key Handling for more information.

Note:  The person or persons charged with ownership of the HSM, are responsible to safeguard the authentication secrets, ensuring that no unrecorded duplicates are made. Similarly, for application partitions with their own SO, the SO of each partition is responsible for securing the authentication secrets and copies.