Partition Capabilities and Policies

Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if the HSM's cloning policy is disallowed (see HSM policy 7), partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set.

NOTE   If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change will be reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.

To view the partition capabilities and policy settings, use the LunaCM command partition showpolicies. Only policies that the Partition SO can change (the corresponding capability is not set to 0) are included in the output. Include the -exporttemplate option to create a template based on the current partition policy settings. See Policy Templates.

To modify partition policies, login as Partition SO and use the LunaCM command partition changepolicy -policy <policy#> -value <0/1/value>. See partition changepolicy in the LunaCM Command Reference Guide for command syntax.

Destructiveness

In some cases, changing a partition policy forces deletion of all cryptographic objects on the partition as a security measure. These policies are listed as destructive in the table below. Destructive policies are typically those that change the security level of the objects stored in the partition.

Use the LunaCM command partition showpolicies -verbose to check whether the policy you want to enable/disable is destructive.

Partition Capabilities and Policies List

The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.

#

Partition Capability Partition Policy Description

0

Enable private key cloning

Allow private key cloning

If enabled, the partition is capable of cloning private keys to another partition. This policy must be enabled to backup partitions or create HA groups. Public keys/objects can always be cloned.

Partition policies 0 and 1 may not be set to 1 (ON) at the same time.

Default: ON

Destructive: OFF-to-ON

1

Enable private key wrapping

Allow private key wrapping

If enabled, private keys may be wrapped and saved to an encrypted file off the partition. Public keys/objects can always be wrapped and exported.

Partition policies 0 and 1 may not be set to 1 (ON) at the same time.

Default: OFF

Destructive: OFF-to-ON

2

Enable private key unwrapping

Allow private key unwrapping

If enabled, private keys may be unwrapped onto the partition. The Partition SO can turn this feature on or off.

If disabled, private key unwrapping is not available, and the Partition SO cannot change this.

Default: ON

3

Enable private key masking

Allow private key masking

Always disabled. SIM has been deprecated on all current SafeNet Luna PCIe HSMs. The Partition SO cannot change this policy.

Default: always OFF

4

Enable secret key cloning

Allow secret key cloning

If enabled, secret keys on the partition can be backed up. The Partition SO can turn this feature on or off.

If disabled, secret keys cannot be backed up, and the Partition SO cannot change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Default: ON

Destructive: OFF-to-ON

5

Enable secret key wrapping

Allow secret key wrapping

If enabled, secret keys can be wrapped off the partition. The Partition SO can turn this feature on or off. The Partition SO can turn this policy off to disallow secret key wrapping

If disabled, the partition does not support secret key wrapping, and the Partition SO cannot change this.

Default: ON

Destructive: OFF-to-ON

6

Enable secret key unwrapping

Allow secret key unwrapping

If enabled, secret keys can be unwrapped onto the partition. The Partition SO can turn this feature on or off.

If disabled, the partition does not support secret key unwrapping, and the Partition SO cannot change this.

Default: ON

7

Enable secret key masking

Allow secret key masking

Always disabled. SIM has been deprecated on all current SafeNet Luna PCIe HSMs. The Partition SO cannot change this policy.

Default: always OFF

10

Enable multipurpose keys

Allow multipurpose keys

If enabled, keys that are created or unwrapped on the partition may have more than one of the following attributes set to 1, and therefore can be used for multiple operations:

>Encrypt/Decrypt

>Sign/Verify

>Wrap/Unwrap

>Derive

If disabled, keys on the partition may have only one of these attributes set to 1. Thales recommends that you create keys with only the attributes required for their intended purpose. Disabling this policy enforces this rule on the partition. This policy does not affect Diffie-Hellman keys, which are always created with only Derive set to 1.

Default: ON

Destructive: OFF-to-ON

11

Enable changing key attributes

Allow changing key attributes

If enabled, non-sensitive attributes of the keys on the partition are modifiable (the user can change the functions that the key can use).

If disabled, keys created on the partition cannot be modified.

This policy affects the following "key function attributes":

CKA_ENCRYPT
CKA_DECRYPT
CKA_WRAP
CKA_UNWRAP
CKA_SIGN
CKA_SIGN_RECOVER
CKA_VERIFY
CKA_VERIFY_RECOVER
CKA_DERIVE
CKA_EXTRACTABLE

Default: ON

Destructive: OFF-to-ON

15

Allow failed challenge responses

Ignore failed challenge responses

This policy applies to PED-authenticated SafeNet Luna HSMs only. The Partition SO can turn the feature on or off.

If enabled, failed challenge secret login attempts on an activated partition are not counted towards a partition lockout. Only failed PED key authentication attempts will increment the counter.

If disabled, failed login attempts using either a PED key or a challenge secret will count towards a partition lockout.

See Activation and Auto-Activation on PED-Authenticated Partitions and Failed Login Attempts for more information.

Default: ON

Destructive: OFF-to-ON

16

Enable operation without RSA blinding

Operate without RSA blinding

If enabled, the partition may run in a mode that does not use RSA blinding (a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance). The Partition SO can turn this feature on or off.

If disabled, the partition will always run in RSA blinding mode; performance will be affected.

If the policy is set to 1 (ON), RSA blinding is not used.

Default: ON

Destructive: OFF-to-ON

17

Enable signing with non-local keys

Allow signing with non-local keys

If a key was generated on an HSM, CKA_LOCAL is set to 1. With this policy turned off, only keys with CKA_LOCAL=1 can be used to sign data on the HSM.

Keys that are imported (unwrapped) to the HSM have CKA_LOCAL explicitly set to 0, so they may not be used for signing. Cloning and SIM maintain the value of CKA_LOCAL.

With this policy turned on, keys that did not originate on the HSM (CKA_LOCAL=0) may be used for signing, and their trust history is not assured.

Default: ON

18

Enable raw RSA operations

Allow raw RSA operations

If enabled, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509). This allows weak signatures and weak encryption. The Partition SO can turn this feature on or off.

If disabled, the partition will not support raw RSA operations.

Default: ON

Destructive: OFF-to-ON

20

Max failed user logins allowed

Max failed user logins allowed

Displays the maximum number of failed partition login attempts before the partition is locked out (see Failed Login Attempts).

The Partition SO can change the number of failed logins to a value lower than the maximum if desired.

Default: 10

21

Enable high availability recovery

Allow high availability recovery

If enabled, partitions in the same HA group may be used to restore the login state of this partition after power outage or other deactivation. RecoveryLogin must be configured in advance (see role recoveryinit and role recoverylogin in the LunaCM Command Reference Guide for details. The Partition SO can turn this feature on or off.

Default: ON

22

Enable activation

Allow activation

Applies only to PED-authenticated HSMs.

If enabled, the black and/or gray PED key secrets may be cached, so that the CO or CU only needs the challenge secret to login. The Partition SO can turn this feature on or off.

If disabled (or the policy is turned off), PED keys must be presented at each login, whether the call is local or from a client application.

This policy setting is overridden and activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See Tamper Events, and Activation and Auto-Activation on PED-Authenticated Partitions for more information.

Default: OFF

23

Enable auto-activation

Allow auto-activation

See Capability 22 above for a description of activation.

If enabled, the black or gray PED key secrets may be encrypted and semi-permanently cached to hard disk, so that the partition's activation status can be maintained after a power loss of up to two hours. The Partition SO can turn this feature on or off.

If disabled, this partition does not support auto-activation.

This policy setting is overidden and auto-activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See Tamper Events, and Activation and Auto-Activation on PED-Authenticated Partitions for more information.

Default: OFF

25

Minimum PIN length (inverted: 255 - min)

Minimum PIN length (inverted: 255 - min)

The absolute minimum length for a partition login PIN is 8 characters. This is displayed as a value subtracted from 256. The policy value is determined as follows:

Subtract the desired minimum PIN length from 256 (the absolute maximum length), and set policy 25 to that value.

256 - (min PIN) = (policy value)

For example, to set the minimum PIN length to 10 characters, the Partition SO should set the value of this policy to 246:

256 - 10 = 246

The reason for this inversion is that a policy can only be set to a value equal to or lower than the value set by its capability. If the absolute minimum PIN length was set to 8, the Partition SO would be able to set the preferred minimum to 2, a less-secure policy. The Partition SO may only change the minimum PIN length to increase security by forcing stronger passwords.

Default: 248

26

Maximum PIN length

Maximum PIN length

The absolute maximum length for a partition login PIN is 255 characters. The effective maximum may be changed by the Partition SO, and must always be greater than the value of the minimum PIN length, determined by the formula in the description of policy 25 (above).

Default: 255

28

Enable Key Management Functions

Allow Key Management Functions

The Partition SO can disable access to any key management functions by the user - all users become Crypto Users (the restricted-capability user) even if logged in as Crypto Officer.

Default: ON

Destructive: OFF-to-ON

29

Enable RSA signing without confirmation

Perform RSA signing without confirmation

The HSM can perform an internal verification (confirmation) of a signing operation to validate the signature. This confirmation is disabled by default because it has a performance impact on signature operations.

Default: ON

Destructive: OFF-to-ON

31

Enable private key unmasking

Allow private key unmasking

Remove encryption with AES 256-bit key from private key

Default: ON

32

Enable secret key unmasking

Allow secret key unmasking

Remove encryption with AES 256-bit key from secret key

Default: ON

33

Enable RSA PKCS mechanism

Allow RSA PKCS mechanism

Default: ON

Destructive: OFF-to-ON

34

Enable CBC-PAD (un)wrap keys of any size

Allow CBC-PAD (un)wrap keys of any size

Default: ON

Destructive: OFF-to-ON

37

Enable Secure Trusted Channel

Force Secure Trusted Channel

Secure Trusted Channel is a Network HSM feature, and has no function on SafeNet Luna PCIe HSM. Thales does not recommend turning this policy on at any time.

Default: OFF

Destructive: ON-to-OFF

39

Enable Start/End Date Attributes

Allow Start/End Date Attributes

If enabled, the Partition SO can turn this policy on to enforce CKA_START_DATE/CKA_END_DATE attributes for the partition. With the policy turned off, these attributes can be set, but their values will be ignored.

Default: OFF

Destructive: ON-to-OFF