Set Partition Policies
At this point, you should have initialized the partition and created the Crypto Officer role. All administration of an initialized partition is carried out by the Partition SO, via LunaCM, from a registered client computer. Before deploying the partitions, review and set the policies constraining the use of the partition by clients, as described in the following sections:
>Displaying the Current Partition Policy Settings
>Changing the Partition Policy Settings
Displaying the Current Partition Policy Settings
First, display the policies (default) of the application partition. You can run the partition showpolicies command without logging in. The Partition SO must be logged in to change partition policy settings.
To display the current partition policy settings:
1.Open a LunaCM session.
2.Enter the following command to display current partition capability and policy settings. Capabilities are factory settings. Policies are the means of modifying the adjustable capabilities:
lunacm:>partition showpolicies [-slot <slotnum>]
lunacm:> partition showpolicies
Partition Capabilities
0: Enable private key cloning : 1
1: Enable private key wrapping : 1
2: Enable private key unwrapping : 1
3: Enable private key masking : 0
4: Enable secret key cloning : 1
5: Enable secret key wrapping : 1
6: Enable secret key unwrapping : 1
7: Enable secret key masking : 0
10: Enable multipurpose keys : 1
11: Enable changing key attributes : 1
15: Allow failed challenge responses : 1
16: Enable operation without RSA blinding : 1
17: Enable signing with non-local keys : 1
18: Enable raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Enable high availability recovery : 1
22: Enable activation : 0
23: Enable auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Enable Key Management Functions : 1
29: Enable RSA signing without confirmation : 1
31: Enable private key unmasking : 1
32: Enable secret key unmasking : 1
33: Enable RSA PKCS mechanism : 1
34: Enable CBC-PAD (un)wrap keys of any size : 1
37: Enable Secure Trusted Channel : 1
39: Enable Start/End Date Attributes : 1
Partition Policies
0: Allow private key cloning : 1
1: Allow private key wrapping : 0
2: Allow private key unwrapping : 1
3: Allow private key masking : 0
4: Allow secret key cloning : 1
5: Allow secret key wrapping : 1
6: Allow secret key unwrapping : 1
10: Allow multipurpose keys : 1
11: Allow changing key attributes : 1
15: Ignore failed challenge responses : 1
16: Operate without RSA blinding : 1
17: Allow signing with non-local keys : 1
18: Allow raw RSA operations : 1
20: Max failed user logins allowed : 10
21: Allow high availability recovery : 1
22: Allow activation : 0
23: Allow auto-activation : 0
25: Minimum pin length (inverted: 255 - min) : 248
26: Maximum pin length : 255
28: Allow Key Management Functions : 1
29: Perform RSA signing without confirmation : 1
31: Allow private key unmasking : 1
32: Allow secret key unmasking : 1
33: Allow RSA PKCS mechanism : 1
34: Allow CBC-PAD (un)wrap keys of any size : 1
37: Force Secure Trusted Channel : 0
39: Allow Start/End Date Attributes : 0
Command Result : No Error
Changing the Partition Policy Settings
Having viewed the Policy settings, you can now modify a Partition Policy for a given partition.
To change a partition policy:
1.Open a LunaCM session, select the partition slot, and login as Partition SO.
lunacm:>slot set slot <slotnum>
lunacm:>role login -name po
2.Enter the following command to change a Partition Policy:
lunacm>partition changepolicy -policy <policy_ID> -value <policy_value>
RSA Blinding Mode
Blinding is a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance.
The Partition Security Officer can turn this feature on or off.
If RSA blinding is enabled in Capabilities and allowed in Policies, the partition will always run in RSA blinding mode; performance will be lower than SafeNet published performance figures. This is because the deliberate introduction of random elements causes the average signature to take longer to complete.
For maximum performance, you can switch RSA blinding mode off, at the cost of additional risk of timing attacks on your keys. It is your decision whether your network and other security measures are sufficiently rigorous that blinding is not needed.
SafeNet Luna HSMs are normally shipped with the Capability set to allow switching blinding on or off, and with the Policy set to not use blinding, by default.