|
Home > |
|---|
You can perform this operation locally, remotely, or offline via the Admin menu.
The Luna PED automatically detects the active interface that it is plugged into, and defaults to the appropriate mode after the first command is sent to it. The Luna PED waits in either Remote PED-USB mode (if the PED is connected to a USB port) or in its Scanning state (if the PED is connected to an SCP port) until a command is received from the HSM.
•If the PED is directly connected to the HSM via USB port, it enters Local PED-USB mode.
•If the PED is remotely connected to the HSM via remote host, it enters Remote PED-USB mode.
•If the PED is directly connected to the HSM via SCP port, it enters Local PED-SCP mode.
If you need to switch between these modes, press < to navigate to the main menu. Then, press 1 to enter Local PED-SCP mode or press 0 to enter Local PED-USB mode.
If you wish to perform this operation remotely, see Remote PED Setup and Configuration If you wish to perform this operation offline, see Duplicating PED Keys without an HSM.
When you have imprinted any PED key, having set its parameters, you are prompted:
Note: The word “keyset” is used in case you chose to invoke MofN, splitting the HSM secret across several keys.
The first opportunity to make copies is at initialization time. Your answer ends the process for the current PED key secret. The Luna PED (and the associated HSM) does not know how many copies you have made, so you are given the option to duplicate every time you initialize an HSM or create a role or secret.
•This invokes the duplication of the PED key, so that all duplicates can be interchangeable (for backups).
•You can now use the original or any of the duplicates to access this HSM or Partition, and distribute the others to other personnel or to secure storage.
If you are duplicating a set of MofN keys, you must have access to all of the keys.
•You are indicating that no duplicates/backups are necessary.
•If you eventually require duplicate/backups for your SO PED keys, you can create them when you initialize another HSM or when you perform an "hsm so-ped-key change" (saying No to the "reusing" question, and then saying Yes to the "duplicating" question at that time).
•If you eventually require duplicate/backups for your Partition User/Crypto Officer PED keys, you can create them when you create another Partition (saying No to the "reusing" question, and then saying Yes to the "duplicating" question at that time).
•The same possibility is presented whenever you imprint any of the other key types.
•You can create duplicates of any PED key by means of Luna PED's Admin menu.
You can duplicate PED keys without being connected to an HSM.
On the Luna PED, press < to navigate to the main menu. Then, press 4 to enter Admin mode.
1.At the PED Key Mode menu you have options to Login (which you have just done, but the prompt is available in case you might wish to login to a different PED key), Logout, or Duplicate the PED key. Only the “Duplicate” option is meaningful for your iKey 1000 PED key. To duplicate the contents of the currently connected PED key to another PED key, press 7 on the PED keypad.
2.When prompted, insert a blank target PED key, or a non-blank whose data is no longer needed. Press Enter.
3.If data already exists on the target PED key, you are warned and required to press Yes two times, to confirm that you really do wish to overwrite whatever is on the PED key that is currently connected to the PED.
If the source PED key had an optional PED PIN assigned, then that PED PIN is automatically applied to the duplicate during this process.
4.Remove the newly imprinted PED key and press Enter. The PED goes back to PED key mode awaiting further commands. If you wish to duplicate another PED key, repeat the above steps. Otherwise, press < to go back to Admin mode, and press < again to reach the main menu, and finally press 1 to resume Local mode, which is the normal operating mode of the PED, awaiting commands from the connected HSM.
5.Identify the new PED key with a tag or other marker, and record a PED PIN (if any) in secure fashion, according to your security policies.
The PED does not prompt you for a PED PIN. If the PED PIN flag was not set on the source key, then the new copy also has that flag unset. If the PED PIN flag was set on the original key, then that setting is automatically recorded on the duplicate. No HSM is involved in this transaction, so entering a PED PIN would have no effect. Yet the correct PED PIN will be requested when you later use a duplicate to access the HSM.
Note: Exception – The Remote PED functions as described earlier, when it is in Local or Admin mode. However, when it is placed in Remote mode, it is capable of setting up a secure connection, via a specially-configured computer workstation, to a remotely located HSM. The remote functionality is described separately in About Remote PED.
In the sequence when you are initializing you are prompted for a PED PIN and can make several "duplicate" keys that have different PED PINS unlock the same HSM; this is called a "raw" duplication.
|
|
Requires HSM |
Launched from command line |
Prompt (option) |
"Copies" are identical |
"Copies" unlock same HSM |
|---|---|---|---|---|---|
|
"Duplicating" (creating new PED keys during initialization) |
Yes |
Yes |
Yes |
Only if no PED PIN or if same PED PIN is repeatedly entered |
Yes, as long as you know the correct PED PIN for the key you have |
|
Duplicating "raw" key content via PED menu |
No (only a power connection needed) |
No |
No |
Yes |
Yes, PED PIN is the same for all raw duplicates |
Duplicate PED keys are not the same as MofN-split PED keys. A duplicate of a key is a complete, self-contained copy of its secret, and either the original or the duplicate is fully sufficient to authenticate.
If you choose to split a secret when creating it, by selecting “M value” and “N value” greater than one, then a duplicate of that secret must create duplicates of all the splits.