Changing a PED Key Secret
It may be necessary to change the PED secret associated with a role. Reasons for changing credentials include:
>Regular credential rotation as part of your organization's security policy
>Compromise of a role due to loss or theft of a PED key
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PED PINs, or shared secrets)
The procedure for changing a PED key credential depends on the type of key. Procedures for each type are provided below.
CAUTION! If you are changing a PED credential that is shared among multiple HSMs/partitions/roles, always keep at least one copy of the old keyset until the affected HSMs/partitions/roles are all changed to the new credential. When changing PED credentials, you must always present the old keyset first; do not overwrite your old PED keys until you have no further need for them.
Blue HSM SO Key
The HSM SO can use this procedure to change the HSM SO credential.
To change the blue HSM SO PED key credential:
1.In LunaSH, log in as HSM SO.
lunash:>hsm login
2.Use the following command to initiate the PED key change:
lunash:>hsm changepw
3.You are prompted to present the original blue key(s) and then to create a new HSM SO keyset. See Creating PED Keys.
Red HSM Domain Key
It is not possible to change an HSM's cloning domain without factory-resetting the HSM and setting the new cloning domain as part of the standard initialization procedure.
CAUTION! If you set a different cloning domain for the HSM, you cannot restore the
Orange Remote PED Key
The HSM SO can use this procedure to change the Remote PED Vector (RPV) for the HSM.
To change the RPV/orange key credential:
1.In LunaSH, log in as HSM SO.
lunash:>hsm login
2.Initialize the RPV.
lunash:>hsm ped vector init
You are prompted to create a new Remote PED key.
3.Distribute a copy of the new orange key to the administrator of each Remote PED server.
Blue Partition SO Key
The Partition SO can use this procedure to change the Partition SO credential.
To change a blue Partition SO PED key credential:
1.In LunaCM, log in as Partition SO.
lunacm:>role login -name po
2.Use the following command to initiate the PED key change:
lunacm:>role changepw -name po
3.You are prompted to present the original blue key(s) and then to create a new Partition SO keyset.
Red Partition Domain Key
It is not possible to change a partition's cloning domain. A new partition must be created and initialized with the desired domain. The new partition will not have access to any of the original partition's backups. It cannot be made a member of the same HA group as the original.
Black Crypto Officer Key
The Crypto Officer can use this procedure to change the Crypto Officer credential.
To change a black Crypto Officer PED key credential:
1.In LunaCM, log in as Crypto Officer.
lunacm:>role login -name co
2.Use the following command to initiate the PED key change:
lunacm:>role changepw -name co
3.You are prompted to present the original black key(s) and then to create a new Crypto Officer keyset.
Gray Crypto User Key
The Crypto User can use this procedure to change the Crypto User credential.
To change a gray Crypto User PED key credential:
1.In LunaCM, log in as Crypto User.
lunacm:>role login -name cu
2.Use the following command to initiate the PED key change:
lunacm:>role changepw -name cu
3.You are prompted to present the original gray key(s) and then to create a new Crypto User keyset.
White Audit User Key
The Audit User can use this procedure to change the Audit User credential.
To change the white Audit User PED key credential:
1.Log into LunaSH as audit.
2.Log in as the Audit User.
lunash:>audit login
3.Use the following command to initiate the PED key change:
lunash:>audit changepwd
4.You are prompted to present the original white key(s) and then to create a new Audit User keyset.