HSM Capabilities and Policies
The SafeNet Luna Network HSM's configuration is based on HSM capabilities. They are set at manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates.
A subset of HSM capabilities have corresponding HSM policies that allow you to customize the HSM configuration. Policies can be modified based on your specific needs. They can never be modified to be less secure than the corresponding capability.
To view the HSM capability and policy settings, use the LunaSH command hsm showpolicies. Include the -exporttemplate option to create a template based on the current HSM policy settings. See Policy Templates.
To modify HSM policies, log in as HSM SO and use the LunaSH command hsm changepolicy -policy <policy#> -value <0/1>. See hsm changepolicy in the LunaSH Command Reference Guide for command syntax.
To zeroize the HSM and reset the policies to their default values, use hsm factoryreset. See hsm factoryreset in the LunaSH Command Reference Guide for command syntax.
To zeroize the HSM and keep the current policy settings, use hsm zeroize. See hsm zeroize in the LunaSH Command Reference Guide for command syntax.
Destructiveness
In some cases, changing an HSM policy zeroizes all application partitions or the entire HSM as a security measure. These policies are listed as destructive in the table below.
HSM Capability and Policy Descriptions
The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.
| # | HSM Capability | HSM Policy | Description |
|---|---|---|---|
| 0 | Enable PIN-based authentication |
|
|
| 1 | Enable PED-based authentication | If allowed, the HSM authenticates users with secrets stored on physical PED keys, read by a SafeNet Luna PED. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret. | |
| 2 | Performance level |
Numerical value indicates the performance level of this HSM, determined by the model you selected at time of purchase: >4: Standard performance >8: Enterprise performance >15: Maximum performance |
|
| 4 | Enable domestic mechanisms & key sizes | Always allowed. All SafeNet |
|
|
6 |
Enable masking |
|
Always disallowed. SIM has been deprecated on all current SafeNet Luna Network HSMs. |
|
7 |
Enable cloning |
Allow cloning |
If allowed, the HSM is capable of cloning cryptographic objects from one partition to another. This policy must be enabled to backup partitions over a network Destructive: OFF-to-ON |
|
9 |
Enable full (non-backup) functionality |
|
If allowed, the HSM is capable of full cryptographic functions. This capability is only disallowed on SafeNet Luna Backup HSMs. |
|
12 |
Enable non-FIPS algorithms |
Allow non-FIPS algorithms |
If allowed, the HSM can use all available cryptographic algorithms. If disallowed, only algorithms sanctioned by the FIPS 140-2 standard are permitted. The following is displayed in the output from FIPS 140-2 Operation: ===================== The HSM is in FIPS 140-2 approved operation mode. NOTE FMs are not compatible with FIPS 140-2 approved operation mode. See FM Deployment Constraints for details. Destructive: OFF-to-ON |
|
15 |
Enable SO reset of partition PIN |
SO can reset partition PIN |
If allowed, a Partition SO can reset the password or PED secret of a Crypto Officer who has been locked out after too many bad login attempts. If disallowed, the lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device. See Logging In to the Application Partition for more information. Destructive: OFF-to-ON, ON-to-OFF |
|
16 |
Enable network replication |
Allow network replication |
If allowed, cryptographic object cloning is permitted over a network. This is required for HA groups, and for partition backup to a remote or client-connected SafeNet Luna Backup HSM. If disallowed, cloning over a network is not permitted. Partition backup is possible to a locally-connected SafeNet Luna Backup HSM only. Setting this policy to 0 means that only the HSM SO can backup partitions. |
|
17 |
Enable Korean Algorithms |
Allow Korean algorithms |
If allowed, the SafeNet Luna Network HSM can use the Korean algorithm set. This capability may be purchased as an upgrade. See Upgrading HSM Capabilities and Partition Licenses. |
|
18 |
FIPS evaluated |
|
Always disallowed - deprecated policy. All SafeNet Luna Network HSMs are capable of operating in FIPS Mode. |
|
19 |
Manufacturing Token | N/A (Thales internal use only) | |
|
21 |
Enable forcing user PIN change |
Force user PIN change after set/reset |
If allowed, when a Partition SO initializes the Crypto Officer role (or resets the password/PED secret), the CO must change the credential with role changepw before any other actions are permitted. The same is true when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition. If disallowed, the CO/CU may continue to use the credential assigned by the Partition SO. |
|
22 |
Enable offboard storage |
Allow off-board storage |
On previous HSMs, this policy allowed or disallowed the use of the portable SIM key. SIM is not supported on this version of SafeNet Luna HSM. Destructive: OFF-to-ON |
|
23 |
Enable partition groups |
|
Always disallowed - deprecated policy. |
|
25 |
Enable Remote PED usage |
Allow Remote PED usage |
|
|
27 |
HSM non-volatile storage space |
Displays the non-volatile maximum storage space (in bytes) on the HSM. This is determined by the model of SafeNet Luna Network HSM you selected at time of purchase. |
|
|
30 |
Enable Unmasking |
Allow unmasking |
If allowed, cryptographic material can be migrated from legacy SafeNet appliances that used SIM. |
|
33 |
Maximum number of partitions | Current maximum number of partitions |
Displays the maximum number of application partitions that can be created on the HSM. This number is determined by the model of SafeNet Luna Network HSM you selected at time of purchase. On some models, the number of allowable partitions can be upgraded with a separate purchase. |
|
35 |
Enable Single Domain | Not applicable to SafeNet Luna Network HSMs. | |
|
36 |
Enable Unified PED Key | Not applicable to SafeNet Luna Network HSMs. | |
|
37 |
Enable MofN | Allow MofN |
If allowed on PED-authenticated SafeNet Luna Network HSMs, this policy enables you to require a quorum for role access, by splitting a PED secret among multiple PED keys (see M of N Split Secrets (Quorum)). If disallowed, users will no longer be asked to split a PED secret (M and N automatically set to 1). Always disallowed on password-authenticated HSMs. |
|
38 |
Enable small form factor backup/restore | Not available in this release. | |
|
39 |
Enable Secure Trusted Channel | Allow Secure Trusted Channel |
If allowed, this policy enables the use of Secure Trusted Channel for partition-client connections (see Secure Trusted Channel (STC)). If disallowed, all partition-client connections must use NTLS. |
|
40 |
Enable decommission on tamper |
Decommission on tamper |
If allowed, the HSM will be decommissioned if a tamper event occurs. Decommissioning deletes all partitions and their contents, the audit role, and the audit configuration. The HSM policy settings are retained. See Tamper Events for more information. Destructive: ON-to-OFF |
|
42 |
Enable partition re-initialize | Not applicable to SafeNet Network HSMs. This capability and any associated feature and command(s) are applicable only to the Luna IS product that shares some common code. For the SafeNet Network HSM, which has no commands or implementation, no such feature was tested. | |
|
43 |
Enable low level math acceleration | Allow low-level math acceleration |
This is enabled by default, and must be enabled to provide maximum performance. Do not disable unless instructed to do so by Thales Technical Support. |
|
45 |
Enable Fast-Path | Not available in this release. | |
|
46 |
Allow Disabling Decommission |
Disable Decommission |
If enabled, the decommission CAUTION! Changing this policy will destroy partitions on the HSM, and they must be recreated. If HSM policy 40: Decommission on Tamper is enabled, you cannot enable this policy (fails with error: CKR_CONFIG_FAILS_DEPENDENCIES). However, attempting to enable it will still destroy HSM partitions. Destructive: OFF-to-ON, ON-to-OFF |
| 47 | Enable Tunnel Slot | Not available in this release. | |
| 48 | Enable Controlled Tamper Recovery | Do Controlled Tamper Recovery |
If allowed, the HSM SO must explicitly clear the tamper before the HSM can resume normal operations. This is the default behavior. If disallowed, the HSM must be restarted before it can resume normal operations. See Tamper Events for more information. |
| 49 | Enable Partition Utilization Metrics | Allow Partition Utilization Metrics |
|
| 50 | Enable Functionality Modules | Allow Functionality Modules |
If this policy is allowed, Functionality Modules can be loaded to the HSM, permitting custom cryptographic operations. Allows use of the ctfm utility and FM-related commands, and the use of Functionality Modules in general with this HSM. This Capability and Policy (as well as 51, 52, and 53) appears only when HSM firmware is 7.4 or later on an FM-ready HSM, where the FM capability license has been installed (see Preparing the SafeNet Luna Network HSM to Use FMs). Destructive: OFF-to-ON, ON-to-OFF CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. Refer to FM Deployment Constraints for details before enabling. If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details. |
| 51 | Enable SMFS Auto Activation | Allow SMFS Auto Activation |
If this policy is allowed, the Secure Memory File System (SMFS) is automatically activated on startup, providing a secure, tamper-enabled location in the HSM memory where Functionality Modules can load keys and parameters. If the policy is disallowed, the HSM SO must manually activate the SMFS each time the HSM reboots or loses power. Destructive: OFF-to-ON, ON-to-OFF |
| 52 | Allow Restricting FM Privilege Level | Restrict FM Privilege Level |
When this policy is set to 1, FM privilege is restricted. By default (0), FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria). Destructive: OFF-to-ON, ON-to-OFF |
| 53 | Allow Encrypting of Keys from FM to HSM | Encrypt Keys Passing from FM to HSM |
When this policy is set to 1, keys created by an FM are encrypted before crossing from the FM to the Functionality Module Crypto Engine interface (FMCE). This internal encryption may be required to satisfy some certification requirements (such as Common Criteria). Destructive: OFF-to-ON, ON-to-OFF |
