HSM Initialization
Initialization prepares a new HSM for use, or an existing HSM for reuse, as follows. You must initialize the HSM before you can generate or store objects, allow clients to connect, or perform cryptographic operations:
>On a new HSM or factory-reset HSM, initialization sets the HSM SO credentials, the HSM label, and the cloning domain of the HSM Admin partition. This is often referred to as a 'hard' initialization. See Initializing a New or Factory-reset HSM.
>On an existing, non-factory-reset HSM, reinitialization destroys all existing partitions and objects, but retains the SO credentials and cloning domain. You have the option to change or retain the existing label. This is often referred to as a 'soft' initialization. See Re-initializing an Existing, Non-factory-reset HSM.
NOTE To ensure accurate auditing, perform initialization only after you have set the system time parameters (time, date, time zone, use of NTP (Network Time Protocol). You can use the -authtimeconfig option when initializing the HSM to require HSM SO authorization of any time-related changes once the HSM is initialized.
Hard versus soft initialization
The following table summarizes the differences between a hard and soft initialization.
Condition/Effect |
Soft init |
Hard init |
---|---|---|
HSM SO authentication required | Yes | No |
Can set new HSM label | Yes | Yes |
Creates new HSM SO identity | No | Yes |
Creates new Domain | No | Yes |
Destroys partitions | Yes | No (none exist to destroy, since the HSM is new or an hsm factoryreset was performed) |
Destroys objects | Yes | No (none exist to destroy, since the HSM is new or an hsm factoryreset was performed) |
Initializing a New or Factory-reset HSM
NOTE New HSMs are shipped in Secure Transport Mode (STM). You must recover the HSM from STM before you can initialize the HSM. See To initialize a new or factory-reset HSM (hard init): for details.
On a new, or factory reset HSM (using hsm factoryreset), you perform a 'hard init' to set the following:
HSM Label |
The label is a string of up to 32 characters that identifies this HSM unit uniquely. A labeling convention that conveys some information relating to business, departmental or network function of the individual HSM is commonly used. Labels cannot contain a leading space. |
HSM SO credentials |
For PED-authenticated HSMs, you create a new HSM SO (blue) PED key(set) or re-use an existing key(set) from an HSM you want to share credentials with. If you are using PED authentication, ensure that you have a PED key strategy before beginning. See PED Authentication. For password-authenticated HSMs, you specify the HSM SO password. For proper security, it should be different from the appliance admin password, and employ standard password-security characteristics. Password can be between 7 and 256 characters in length: >Valid characters are !#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~ (the first character in that list is the space character) >Invalid characters are "&';<>\`|() |
Cloning domain for the HSM Admin partition |
The cloning domain is a shared identifier that makes cloning possible among a group of HSM partitions. It specifies the security domain (group of HSM partitions) within which the HSM Admin partition can share cryptographic objects though cloning, backup/restore, or in high availability configurations. Note that the HSM Admin partition cloning domain is independent of the cloning domain specified when creating application partitions on the HSM. For PED-authenticated HSMs, you create a new Domain (red) PED key(set) or re-use an existing key(set) from an HSM you want to be able to clone with. For password-authenticated HSMs, you create a new domain password or re-use an existing password from an HSM you want to be able to clone with. Cloning domain strings can be between 1 and 128 characters in length: >Valid characters are !#$%'*+,-./0123456789:=?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_abcdefghijklmnopqrstuvwxyz{}~ (the first character in that list is the space character) >Invalid characters are "&';<>\`|() NOTE Always specify a cloning domain when you initialize a Password-authenticated SafeNet Luna HSM in a production environment. The HSM allows you to specify "defaultdomain" at initialization, the factory-default domain. This is deprecated, as it is insecure. Anyone could clone objects to or from such an HSM. The default domain is provided for benefit of customers who have previously used the default domain, and for migration purposes. When you prepare a SafeNet Luna HSM to go into service in a real production environment, always specify a proper, secure domain string when you initialize the HSM. |
To initialize a new or factory-reset HSM (hard init):
CAUTION! Ensure that you are prepared. Once initialized, re-initializing the HSM forces the deletion of all partitions and objects on the HSM.
1. If Secure Transport Mode is set, you must unlock the HSM before proceeding. New SafeNet Luna HSMs are shipped from the factory in Secure Transport Mode (STM). STM allows you to verify whether or not an HSM has been tampered while it is not in your possession, such as when it is shipped to another location, or placed into storage. See Secure Transport Mode in the Administration Guide for more information.
To recover your HSM from Secure Transport Mode, proceed as follows:
a.As part of the delivery process for your new HSM, you should have received an email from Thales Client Services, containing two 16-digit strings, as follows. You will need both of these strings to recover the HSM from STM:
Random User String: XXXX-XXXX-XXXX-XXXX
Verification String: XXXX-XXXX-XXXX-XXXX
b.Ensure that you have the Random User String and Verification String that were emailed to you for your new HSM.
c.Enter the following command to recover from STM, specifying the Random User String that was emailed to you for your new HSM:
lunacm:> stm recover -randomuserstring <XXXX-XXXX-XXXX-XXXX>
d.You are presented with a verification string. If the verification string matches the original verification string emailed to you for your new HSM, the HSM has not been tampered, and can be safely deployed. If the verification string does not match the original verification string emailed to you for your new HSM, the HSM has been tampered while in STM. If the verification strings do not match, contact Thales Technical Support immediately.
e. Enter proceed to recover from STM (regardless of whether the strings match or not), or enter quit to remain in STM.
2.If you are initializing a PED-authenticated HSM, have the Luna PED connected and ready (via USB, in Local PED-USB mode). If your PED is not in USB mode, see Changing Modes in the HSM Administration Guide.
3.Open a LunaCM session and set the slot to the HSM Admin partition.
4.Run the hsm init command, specifying a label for your SafeNet Luna PCIe HSM:
lunacm:> hsm init <label>
5.Respond to the prompts to complete the initialization process:
•on a password-authenticated HSM, you are prompted for the HSM password and for the HSM Admin partition cloning domain string (cloning domains for application partitions are set when the application partitions are initialized).
•on a PED-authenticated HSM, you are prompted to attend to the PED to create a new HSM SO (blue) PED key for this HSM, re-use an HSM SO PED key from an existing HSM so that you can also use it to log in to this HSM, or overwrite an existing key with a new PED secret for use with this HSM. You are also prompted to create, re-use, or overwrite the Domain (red) PED key. You can create MofN quorum keysets and duplicate keys as required. See PED Authentication for more information.
The prompts are self explanatory. New users (especially those initializing a PED-authenticated HSM) may want to refer to the following examples for more information:
•PED-authenticated HSM Initialization Example
•Password-authenticated HSM Initialization Example
Re-initializing an Existing, Non-factory-reset HSM
On an existing, non-factory-reset HSM, re-initialization clears all existing partitions and objects, but retains the SO credentials and cloning domain. You have the option to change or retain the existing label. Re-initialization is also referred to as a soft init. If you do not want to do a soft init, and also change the SO credentials and cloning domain, you need to use the hsm factoryreset command to factory reset the HSM, and then perform the procedure described in Initializing a New or Factory-reset HSM.
CAUTION! Ensure you have backups for any partitions and objects you want to keep, before reinitializing the HSM.
To re-initialize an existing, non-factory-reset HSM (soft init):
1. Log in as the HSM SO.
2.If Secure Transport Mode is set, you must unlock the HSM before proceeding. See Secure Transport Mode in the Administration Guide.
3.If you are initializing a PED-authenticated HSM, have the Luna PED connected and ready (via USB, in Local PED-USB mode). If your PED is not in USB mode, see Changing Modes in the HSM Administration Guide.
4.Open a LunaCM session and set the slot to the HSM Admin partition.
5.Run the hsm init command, specifying a label for your SafeNet Luna Network HSM:
lunacm:> hsm init <label>
PED-authenticated HSM Initialization Example
This section provides detailed examples that illustrate your options when initializing a PED-authenticated HSM. It provides the following information:
>To initialize a PED-authenticated HSM:
>Imprinting the Blue HSM SO PED Key
>Imprinting the Red Cloning Domain PED Key
>New, reuse, and overwrite options
NOTE Respond promptly to avoid PED timeout Error. If the PED has timed out, press the CLR key for five seconds to reset, or switch the PED off, and back on, to get to the “Awaiting command....” state before re-issuing a LunaSH command that invokes the PED.
To initialize a PED-authenticated HSM:
1.Your Luna PED must be connected to the HSM, either locally/directly in USB mode (see Changing Modes), or remotely via Remote PED connection (see About Remote PED).
NOTE To operate in Local PED-USB mode, the PED must be connected directly to the HSM card's USB port, and not one of the other USB connection ports on the
2.Set the active slot to the SafeNet Luna PCIe HSM Admin partition, and issue the hsm init command. The HSM passes control to the Luna PED, and the command line directs you to attend to the PED prompts.
3.When you issue the hsm init command, the HSM passes control to the Luna PED, and the command line (lunash:>) directs you to attend to the PED prompts.
4.A "default" login is performed, just to get started (you don't need to supply any authentication for this step).
5.Luna PED asks: "Do you wish to reuse an existing keyset?". If the answer is No, the HSM creates a new secret which will reside on both the HSM and the key (or keys) that is (or are) about to be imprinted. If the answer is Yes, then the HSM does not create a new secret and instead waits for one to be presented via the PED.
6.Luna PED requests a blue PED key. It could be blank to begin with, or it could have a valid secret from another HSM (a secret that you wish to preserve), or it could have a secret that is no longer useful.
7.Luna PED checks the key you provide. If the PED key is not blank, and your answer to "...reuse an existing keyset" was Yes, then Luna PED proceeds to copy the secret from the PED key to the HSM.
8.If the key is not blank, and your answer to "...reuse an existing keyset" was No, then the PED inquires if you wish to overwrite its contents with a new HSM secret. If the current content of the key is of no value, you say Yes. If the current content of the key is a valid secret from another HSM (or if you did not expect the key to hold any data) you can remove it from the PED and replace it with a blank key or a key containing non-useful data, before you answer Yes to the 'overwrite' question.
9.Assuming that you are using a new secret, and not reusing an existing one, Luna PED asks if you wish to split the new HSM secret. It does this by asking for values of "M" and "N". You set those values to "1" and "1" respectively, unless you require MofN split-secret, multi-person quorum access control for your HSM (See M of N Split Secrets (Quorum) for details).
10.Luna PED asks if you wish to use a PED PIN (an additional secret; see PED Key Management for more info).
11.If you just press Enter (effectively saying 'no' to the PED PIN option), then the secret generated by the HSM is imprinted on the PED key, that same secret is retained as-is on the HSM, and the same secret becomes the piece needed to unlock the Security Officer/HSM Admin account on the HSM.
12.If you press some digits on the PED keypad (saying 'yes' to the PED PIN option), then the PED combines the HSM-generated secret with your PED PIN and feeds the combined data blob to the HSM. The HSM throws away the original secret and takes on the new, combined secret as its SO/HSM Admin secret.
13.The PED key contains the original HSM-generated secret, but also contains the flag that tells the PED whether to demand a PED PIN (which is either no digits, or a set of digits that you supplied, and must supply at all future uses of that PED key).
14.Luna PED gives you the option to create some duplicates of this imprinted key. You should make at least one duplicate for backup purposes. Make additional duplicates if your security policy permits, and your procedures require them.
15.Next, Luna PED requests a red Domain PED key. The HSM provides a cloning Domain secret and the PED gives you the option to imprint the secret from the HSM, or to use a domain that might already be on the key. You choose appropriately. If you are imprinting a new Domain secret, you have the same opportunities to split the secret, and to apply a PED PIN "modifier" to the secret. Again, you are given the option to create duplicates of the key.
16.At this point, the HSM
is initialized and Luna PED passes control back to
Further actions are needed to prepare for use by your Clients, but you can now log in as SO/HSM Admin and perform HSM administrative actions.
Imprinting the Blue HSM SO PED Key
1.Decide if you want to reuse a keyset.
•If you say No (on the PED keypad), then you are indicating there is nothing of value on your PED keys to preserve, or you are using blank keys.
•If you say Yes, you indicate that you have a PED key (or set of PED keys) from another HSM and you wish your current/new HSM to share the authentication with that other HSM. Authentication will be read from the PED key that you present and imprinted onto the current HSM.
2.Set MofN.
•Setting M and N to 1 means that the role authentication is not to be split, and only a single PED key will be necessary when the authentication is called for in future. Input 1 for each prompt if you do not want to use MofN.
•Setting M and N to larger than 1 sets a quorum requirement for the role, which means that the authentication is split into N different splits, of which quantity M of them (the quorum) must be presented each time you are required to authenticate. MofN allows you to enforce multi-person access control - no single person can access the HSM without cooperation of a quorum of other holders.
3.Insert your blank key or the key you wish to overwrite.
Insert a blue HSM Admin/SO PED key and press Enter.
•Yes:
If the PED should overwrite the PED key with a new SO authentication.
If you overwrite a PED
key that contains authentication secret for another HSM, then this PED
key will no longer be able to access the other HSM, only the new HSM that
you are currently initializing with a new, unique authentication secret .
•No: If you have changed your mind or inserted the wrong PED key.
4.For any situation other than reusing a keyset, Luna PED now prompts for you to set a PED PIN. For multi-factor authentication security, the physical PED key is "something you have." You can choose to associate that with "something you know," in the form of a multi-digit PIN code that must always be supplied along with the PED key for all future HSM access attempts.
Type a numeric password on the PED keypad, if you wish. Otherwise, just press Enter twice to indicate that no PED PIN is desired.
5.Decide if you want to duplicate your keyset.
•Yes: Present one or more blank keys, all of which will be imprinted with exact copies of the current PED key's authentication.
•No: Do not make any copies.
NOTE You should always have backups of your imprinted PED keys, to guard against loss or damage.
Imprinting the Red Cloning Domain PED Key
To begin imprinting a Cloning Domain (red PED key), you must first log into the HSM. Insert your blue SO PED key.
1.Decide if you want to reuse a keyset.
•No: If this is your first SafeNet Luna HSM, or if this HSM will not be cloning objects with other HSMs that are already initialized
•Yes: If you have another HSM and wish that HSM and the current HSM to share their cloning Domain.
2.Set MofN.
•Setting M and N to 1 means that the domain authentication is not to be split, and only a single PED key will be necessary when the authentication is called for in future. Input 1 for each prompt if you do not want to use MofN.
•Setting M and N to larger than 1 sets a quorum requirement for the domain, which means that the authentication is split into N different splits, of which quantity M of them (the quorum) must be presented each time you are required to provide the domain. MofN allows you to enforce multi-person access control - no single person can access the HSM without cooperation of a quorum of other holders.
3.Insert your blank key or the key you wish to overwrite.
4.Optionally set a PED PIN.
5.Decide if you want to duplicate your keyset.
Once you stop duplicating the Domain key, or you indicate that you do not wish to make any duplicates, Luna PED goes back to "Awaiting command...". LunaSH says:
Command Result : No Error
New, reuse, and overwrite options
The table below summarizes the steps involving Luna PED immediately after you invoke the command hsm init. The steps in the table are in the order in which they appear as PED prompts, descending down the column.
The first column is the simplest, and most like what you would encounter the very first time you initialize, using "fresh from the carton" PED keys.
The next two columns of the table show some differences if you are using previously-imprinted PED keys, choosing either to reuse what is found on the key (imprint it on your new HSM - see Shared PED Key Secrets) or, to overwrite what is found and generate a new secret to be imprinted on both the PED key and the HSM.
New PED Keys | Existing PED Keys (Reuse) |
Existing PED Keys (Overwrite) |
---|---|---|
SLOT 01 No |
SLOT 01 Yes |
SLOT 01 No |
SLOT 01 |
SLOT 01 SETTING SO PIN... Insert a SO / HSM Admin PED Key Press ENTER. |
Slot 01 SETTING SO PIN... Insert a SO / HSM Admin PED Key Press ENTER. |
This PED Key is blank. Yes |
****Warning!**** No
|
****Warning!**** Yes |
Enter a new PED PIN Confirm new PED PIN >Press Enter for no PED PIN >Input 4-16 digits on the PED keypad |
Enter a new PED PIN Confirm new PED PIN >Press Enter for no PED PIN >Input 4-16 digits on the PED keypad |
Enter a new PED PIN Confirm new PED PIN >Press Enter for no PED PIN >Input 4-16 digits on the PED keypad |
Are you duplicating this keyset? YES/NO >Yes: duplicate. This option can be looped for as many duplicates as you need >No: do not duplicate |
Are you duplicating this keyset? YES/NO >Yes: duplicate. This option can be looped for as many duplicates as you need >No: do not duplicate |
Are you duplicating this keyset? YES/NO >Yes: duplicate. This option can be looped for as many duplicates as you need >No: do not duplicate |
Login SO / HSM Admin... Insert a SO/ HSM Admin PED Key Press ENTER |
Login SO / HSM Admin.. Insert a SO/ HSM Admin PED Key Press ENTER |
Login SO / HSM Admin.. Insert a SO/ HSM Admin PED Key Press ENTER |
SETTING DOMAIN... >Yes (unless you have good reason to create a new domain) |
SETTING DOMAIN... >Yes: make this HSM part of an existing domain >No: create a new domain for this HSM |
SETTING DOMAIN... >Yes: make this HSM part of an existing domain >No: create a new domain for this HSM |
Password-authenticated HSM Initialization Example
lunacm:>hsm init -label myLunaHSM
You are about to initialize the HSM.
All contents of the HSM will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Enter password for SO: ********
Re-enter password for SO: ********
Option -domain was not specified. It is required.
Enter the domain name: *********
Re-enter the domain name: *********
Command Result : No Error
When activity is complete, the system displays a “success” message.