PED Keys and Operational Roles

Home >	Administration Guide > PED Key Management > PED Keys and Operational Roles

PED Keys and Operational Roles

Below are some suggested holders of PED Keys by role.

Lifecycle	Operational Role	Function	Custodian
PED keys enforce division of operational roles and prevent unilateral action by key holders
HSM Admin	Security Officer	Manages provisioning activities and global security policies for the HSM : - HSM initialization, - partition provisioning, - global policy for the HSM and the partitions within it.	CSO CIO
	Domain Cloning Token Backup	Cryptographically defines the set of HSMs or partitions that can participate in cloning for the purposes of backup and high-availability.	Domain Administrator WAN Administrator
	Secure Recovery	Restores an HSM after a Secure Transport or tamper event	CSO
	Remote PED	Establish a Remote PED connection	System Administrator
Application Partition Admin	Security Officer	Manages provisioning activities and global security policies for the partition : - partition initialization, - role setting, - policy setting.
Daily Operation	Crypto Officer	This is the full user role associated with a partition. This role can perform both cryptographic services and key management functions on keys within the partition.	System Administrator
Daily Operation	Crypto User	This is a restricted user role on a partition. This role can perform cryptographic services using keys already existing within the partition, only. (See Note 2, below.)	System Administrator
Ongoing Auditing	Audit User	An independent role responsible for audit log management. This role has no access to other HSM services.	Auditor
[Note 1: This table implies a single PED Key for each HSM role or functional secret. For any role or PED Key secret, you can elect to invoke the MofN split-knowledge shared secret option, to spread the responsibility for that role or function over multiple persons. That is, you can require that a predetermined number of responsible persons, greater than one, must be present to unlock/access the particular HSM role or function. Choose MofN for a role or function when it is important that no single person have unsupervised access. See About MofN and Using MofN.
[Note 2: Functionally, the Crypto User (grayAn alternate spelling of "grey". If you see either "gray" or "grey" throughout these documents, they refer to the same concept.) PED Key is just another "black PED Key". The PED does not distinguish gray from black. The gray label is provided only for your convenience, so that CO and CU PED Keys are easy to visually identify and manage. It is useful to have two separate PED Keys (one for each of CO and CU) for separation of those administrative roles, in which case two different color labels are helpful for physical identification and handling. But if that administrative separation is not important in your setting, you can use just a single black key that authenticates to both roles, and still have two separate challenge secrets to give to applications: - one for applications that need read-write crypto access to your partition, and - one for applications that are allowed only read-use access. ]