HSM Capabilities and Policies

The SafeNet Luna PCIe HSM's configuration is based on HSM capabilities. They are set at manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates.

A subset of HSM capabilities have corresponding HSM policies that allow you to customize the HSM configuration. Policies can be modified based on your specific needs. They can never be modified to be less secure than the corresponding capability.

To view the HSM capability and policy settings, use the LunaSH command hsm showpolicies. Include the -exporttemplate option to create a template based on the current HSM policy settings. See Policy Templates.

To modify HSM policies, log in as HSM SO and use the LunaSH command hsm changepolicy -policy <policy#> -value <0/1>. See "hsm changepolicy" on page 1 in the LunaSH Command Reference Guide for command syntax.

To zeroize the HSM and reset the policies to their default values, use hsm factoryreset. See "hsm factoryreset" on page 1 in the LunaSH Command Reference Guide for command syntax.

To zeroize the HSM and keep the current policy settings, use hsm zeroize. See "hsm zeroize" on page 1 in the LunaSH Command Reference Guide for command syntax.

To view the HSM capability and policy settings, issue the LunaCM command hsm showpolicies on the Admin partition. Only policies that the HSM SO can change (the corresponding capability is not set to 0) are included in the output. Include the -exporttemplate option to create a template based on the current HSM policy settings. See Policy Templates.

To modify HSM policies, log in as HSM SO and use the LunaCM command hsm changehsmpolicy-policy <policy#> -value <0/1>. See hsm changehsmpolicy in the LunaCM Command Reference Guide for command syntax.

To zeroize the HSM and reset the policies to their default values, use hsm factoryreset. See hsm factoryreset in the LunaCM Command Reference Guide for command syntax.

To zeroize the HSM and keep the current policy settings, use hsm zeroize. See hsm zeroize in the LunaCM Command Reference Guide for command syntax.

Destructiveness

In some cases, changing an HSM policy zeroizes all application partitions or the entire HSM as a security measure. These policies are listed as destructive in the table below.

HSM Capability and Policy Descriptions

The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.

#

HSM Capability HSM Policy Description

0

Enable PIN-based authentication

 

If allowed, the HSM authenticates all users with keyboard-entered passwords.

1

Enable PED-based authentication

 

If allowed, the HSM authenticates users with secrets stored on physical PED keys, read by a SafeNet Luna PED. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret.

2

Performance level

 

Numerical value indicates the performance level of this HSM, determined by the model you selected at time of purchase:

>4: Standard performance

>8: Enterprise performance

>15: Maximum performance

4

Enable domestic mechanisms & key sizes

 

Always allowed. All SafeNet Luna HSMs are capable of full-strength cryptography with no US export restrictions.

6

Enable masking

 

Always disallowed. SIM has been deprecated on all current SafeNet Luna PCIe HSMs.

7

Enable cloning

Allow cloning

If allowed, the HSM is capable of cloning cryptographic objects from one partition to another. This policy must be enabled to backup partitions over a network or create HA groups. Partition Security Officers may then enable/disable cloning on individual partitions.

Destructive: OFF-to-ON

9

Enable full (non-backup) functionality

 

If allowed, the HSM is capable of full cryptographic functions.

This capability is only disallowed on SafeNet Luna Backup HSMs.

12

Enable non-FIPS algorithms

Allow non-FIPS algorithms

If allowed, the HSM can use all available cryptographic algorithms.

If disallowed, only algorithms sanctioned by the FIPS 140-2 standard are permitted. The following is displayed in the output from hsm showinfo in LunaCM:

The HSM is in FIPS 140-2 approved operation mode.
 

Destructive: OFF-to-ON

15

Enable SO reset of partition PIN

SO can reset partition PIN

If allowed, a Partition SO can reset the password or PED secret of a Crypto Officer who has been locked out after too many bad login attempts.

If disallowed, the lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device.

See Failed Login Attempts for more information.

Destructive: OFF-to-ON, ON-to-OFF

16

Enable network replication

Allow network replication

If allowed, cryptographic object cloning is permitted over a network. This is required for HA groups, and for partition backup to a remote or client-connected SafeNet Luna Backup HSM.

If disallowed, cloning over a network is not permitted. Partition backup is possible to a locally-connected SafeNet Luna Backup HSM only. Setting this policy to 0 means that only the HSM SO can backup partitions.

17

Enable Korean Algorithms

Allow Korean algorithms

If allowed, the SafeNet Luna PCIe HSM can use the Korean algorithm set. This capability may be purchased as an upgrade. See Upgrading HSM Capabilities.

18

FIPS evaluated

 

Always disallowed - deprecated policy. All SafeNet Luna PCIe HSMs are capable of operating in FIPS Mode.

19

Manufacturing Token   N/A (SafeNet internal use only)

21

Enable forcing user PIN change

Force user PIN change after set/reset

If allowed, when a Partition SO initializes the Crypto Officer role (or resets the password/PED secret), the CO must change the credential with role changepw before any other actions are permitted. The same is true when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition.

If disallowed, the CO/CU may continue to use the credential assigned by the Partition SO.

22

Enable offboard storage

Allow off-board storage

On previous HSMs, this policy allowed or disallowed the use of the portable SIM key. SIM is not supported on this version of SafeNet Luna HSM.

Destructive: OFF-to-ON

23

Enable partition groups

 

Always disallowed - deprecated policy.

25

Enable Remote PED usage

Allow Remote PED usage

Always enabled on PED-authenticated SafeNet Luna PCIe HSMs. All PED-authenticated HSMs are capable of connecting to a local PED or a remotely-located PED server. The HSM SO may turn this feature on or off.

27

HSM non-volatile storage space  

Displays the non-volatile maximum storage space (in bytes) on the HSM. This is determined by the model of SafeNet Luna PCIe HSM you selected at time of purchase.

30

Enable Unmasking

Allow unmasking

If allowed, cryptographic material can be migrated from legacy SafeNet appliances that used SIM.

33

Maximum number of partitions Current maximum number of partitions

Displays the maximum number of application partitions that can be created on the HSM. This number is determined by the model of SafeNet Luna PCIe HSM you selected at time of purchase. On some models, the number of allowable partitions can be upgraded with a separate purchase.

35

Enable Single Domain   Not applicable to SafeNet Luna PCIe HSMs.

36

Enable Unified PED Key   Not applicable to SafeNet Luna PCIe HSMs.

37

Enable MofN Allow MofN

If allowed on PED-authenticated SafeNet Luna PCIe HSMs, this policy enables you to require a quorum for role access, by splitting a PED secret among multiple PED keys (see M of N Split Secrets (Quorum)).

If disallowed, users will no longer be asked to split a PED secret (M and N automatically set to 1).

Always disallowed on password-authenticated HSMs.

38

Enable small form factor backup/restore   Not available in this release.

39

Enable Secure Trusted Channel Allow Secure Trusted Channel

If allowed, this policy enables the use of Secure Trusted Channel for partition-client connections (see "Secure Trusted Channel (STC)" on page 1).

If disallowed, all partition-client connections must use NTLS.

Secure Trusted Channel is a Network HSM feature, and has no function on SafeNet Luna PCIe HSM. Thales does not recommend turning this policy on at any time.

40

Enable decommission on tamper

Decommission on tamper

If allowed, the HSM will be decommissioned if a tamper event occurs. Decommissioning deletes all partitions and their contents, the audit role, and the audit configuration. The HSM policy settings are retained.

See Tamper Events for more information.

Destructive: ON-to-OFF

42

Enable partition re-initialize   Not available in this release.

43

Enable low level math acceleration Allow low-level math acceleration

This is enabled by default, and must be enabled to provide maximum performance. Do not disable unless instructed to do so by Thales Technical Support.

46

Allow Disabling Decommission

Disable Decommission

If enabled, the decommission jumper header is disabled, preventing decommissioning of the HSM.

CAUTION: Changing this policy will destroy partitions on the HSM, and they must be recreated. If HSM policy 40: Decommission on Tamper is enabled, you cannot enable this policy (fails with error: CKR_CONFIG_FAILS_DEPENDENCIES). However, attempting to enable it will still destroy HSM partitions.

Destructive: OFF-to-ON, ON-to-OFF

47

Enable Tunnel Slot  

Not available in this release.

48

Enable Controlled Tamper Recovery Do Controlled Tamper Recovery

If allowed, the HSM SO must explicitly clear the tamper before the HSM can resume normal operations. This is the default behavior.

If disallowed, the HSM must be restarted before it can resume normal operations.

See Tamper Events for more information.

49

Enable Partition Utilization Metrics Allow Partition Utilization Metrics

If allowed the HSM SO and Administrator can view (or export to a named file) counters that record how many times specific cryptographic operations have been performed in application partitions since the last counter-reset event. This provides a picture of operational utilization that can be used to guide the [re-]allocation and balancing of partitions and applications, for better service to all users of your partitions.