Keys In Hardware vs. Private Key Export

By default, the SafeNet Luna PCIe HSM stores all keys in hardware, allowing private keys to be copied only to another SafeNet Luna HSM (cloning). Cloning allows you to move or copy key material from the HSM to a backup HSM or to another HSM in the same HA group. You might, however, want to export private keys to an encrypted file for off-board storage or use. Individual partitions can be configured in one of three modes for handling private keys.

The Partition SO can set the mode by changing the following policies (see Partition Capabilities and Policies for more information):

>Partition policy 0: Allow private key cloning (default: 1)

>Partition policy 1: Allow private key wrapping (default: 0)

NOTE   These partition policies can never be set to 1 (ON) at the same time. An error will result (CKR_CONFIG_FAILS_DEPENDENCIES).

The policies can be set at the time of initialization, using a policy template (see Policy Templates) or by following the procedures described below:

>Cloning Mode

>Key Export Mode

>No Backup Mode

NOTE   Partition configurations are listed in LunaCM as "Key Export With Cloning Mode". This indicates that the partition is capable of being configured for either Key Export or Cloning, with the mode of operation defined by the policies listed above. You can never configure a partition to allow both export and cloning of private keys at once.

Cloning Mode

A partition in Cloning mode has the following capabilities and restrictions:

>All keys/objects can be cloned to another partition or SafeNet Luna Backup HSM in the same cloning domain.

>All keys/objects are replicated within the partition's HA group.

>Private keys cannot be wrapped off the HSM (cannot be exported to a file encrypted with a wrapping key).

In this mode, private keys are never allowed to exist outside of a trusted SafeNet Luna HSM in the designated cloning domain. Cloning mode is the default setting for new partitions.

Setting Cloning Mode on a Partition

Cloning mode is the default setting on new partitions. If another mode was set previously, the Partition SO can use the following procedure to set Cloning mode. Use partition showpolicies to see the current policy settings.

CAUTION!   Partition policy 0: Allow private key cloning is Off-to-On destructive by default. Back up any important cryptographic material on the partition before continuing. This destructiveness setting can be customized by initializing the partition with a policy template (see Editing a Policy Template).

To manually set Cloning mode on a partition:

1.Log in to the partition as Partition SO.

lunacm:>slot set slot <slotnum>

lunacm:>role login -name po

2.Set partition policy 1: Allow private key wrapping to 0 (OFF).

lunacm:>partition changepolicy -policy 1 -value 0

3.Set partition policy 0: Allow private key cloning to 1 (ON).

lunacm:>partition changepolicy -policy 0 -value 1

To initialize a partition in Cloning mode using a policy template:

Use a standard text editor to include the following lines in the policy template file (see Editing a Policy Template):

0:"Allow private key cloning":1:1:0
1:"Allow private key wrapping":0:1:0
 

Key Export Mode

A partition in Key Export mode has the following capabilities and restrictions:

>Private keys cannot be cloned to other partitions nor to a SafeNet Luna Backup HSM.

>The partition cannot be part of an HA group (private keys will not be replicated).

>All keys/objects, including private keys, can be wrapped off the HSM (can be exported to a file encrypted with a wrapping key).

This mode is useful when generating key pairs for identity issuance, where transient key-pairs are generated, wrapped off, and embedded on a device. They are not used on the HSM, but generated and issued securely, and then deleted from the HSM.

Setting Key Export Mode on a Partition

The Partition SO can use the following procedure to set Key Export mode. Use partition showpolicies to see the current policy settings.

CAUTION!   Partition policy 1: Allow private key wrapping is always Off-to-On destructive. Back up any important cryptographic material on the partition before continuing. This destructiveness setting cannot be changed with a policy template (see Guidelines and Restrictions).

To manually set Key Export mode on a partition:

1.Launch LunaCM and log in to the partition as Partition SO.

lunacm:>slot set slot <slotnum>

lunacm:>role login -name po

2.Set partition policy 0: Allow private key cloning to 0 (OFF).

lunacm:>partition changepolicy -policy 0 -value 0

3.Set partition policy 1: Allow private key wrapping to 1 (ON).

lunacm:>partition changepolicy -policy 1 -value 1

To initialize a partition in Key Export mode using a policy template:

Use a standard text editor to include the following lines in the policy template file (see Editing a Policy Template):

0:"Allow private key cloning":0:1:0
1:"Allow private key wrapping":1:1:0
 

No Backup Mode

A partition in No Backup mode has the following restrictions:

>Private keys cannot be cloned to other partitions or to a SafeNet Luna Backup HSM. All other objects can still be cloned.

>Private keys cannot be wrapped off the HSM (exported to a file encrypted with a wrapping key). All other objects can still be wrapped off.

Without backup capability, private keys can never leave the HSM. This mode is useful when keys are intended to have short lifespans, and are easily replaced.

Setting No Backup Mode on a Partition

The Partition SO can use the following procedure to set No Backup mode. Use partition showpolicies to see the current policy settings.

To manually set No Backup mode on a partition:

1.Launch LunaCM and log in to the partition as Partition SO.

lunacm:>slot set slot <slotnum>

lunacm:>role login -name po

2.If partition policy 0: Allow private key cloning is set to 1 (ON), set it to 0 (OFF).

lunacm:>partition changepolicy -policy 0 -value 0

3.If partition policy 1: Allow private key wrapping is set to 1 (ON), set it to 0 (OFF).

lunacm:>partition changepolicy -policy 1 -value 0

To initialize a partition in No Backup mode using a policy template:

Use a standard text editor to include the following lines in the policy template file (see Editing a Policy Template):

0:"Allow private key cloning":0:1:0
1:"Allow private key wrapping":0:1:0