About HSM Partitions

HSM Partitions are independent logical HSMs that reside within the SafeNet Luna HSM inside, or attached to, your host computer or appliance. Each HSM Partition has its own data, access controls, security policies, and separate administration access, independent from other HSM partitions. HSM Partitions are analogous to 'safe deposit boxes' that reside within a bank's 'vault'. The HSM (vault) itself offers an extremely high level of security for all the contents inside. Each partition (safe deposit box) within the HSM also has its own security and access controls, so that even though the HSM security officer (bank manager) has access to the vault, they still cannot open the individual partitions (safe deposit boxes), because only the owner of the partition (safe deposit box) holds the key that opens it.

HSMs have two types of partitions:

> An administrative partition

>One or more application partitions

The Administrative Partition

Each HSM has a single administrative partition, which is created when the HSM is initialized. The administrative partition is owned by the HSM security officer (SO). This partition is used by the HSM SO and Auditor roles and is not normally used to store cryptographic objects.

Application Partitions

Application partitions are used to store the cryptographic objects used by your applications. Application partitions have their own partition SO, distinct from the HSM SO. For instructions on how to create application partitions, see Creating an Application Partition on the HSM in the Configuration Guide.

The HSM SO is responsible for initializing the HSM, setting the HSM-wide policies, and creating empty application partitions. After the HSM SO creates the partition, complete control of the application partition is handed off to the partition SO. The HSM SO has no oversight over application partitions and can do nothing with them except delete them, if required.

The partition SO is responsible for setting the partition policies and for creating the Crypto Officer and optional Crypto User roles, who use the partition for cryptographic operations. Application partitions can be assigned to a single client, or multiple clients can be assigned to, and share, a single application partition.


Customer Support Portal

SafeNet Luna PCIe HSM 7.3 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.