If enabled, the partition is capable of cloning private keys to another partition. This policy must be enabled to backup partitions or create HA groups. Public keys/objects can always be cloned.

Partition policies 0 and 1 may not be set to 1 (ON) at the same time.

Default: ON

Destructive: OFF-to-ON

If enabled, private keys may be wrapped and saved to an encrypted file off the partition. Public keys/objects can always be wrapped and exported.

Partition policies 0 and 1 may not be set to 1 (ON) at the same time.

Default: OFF

Destructive: OFF-to-ON

If enabled, private keys may be unwrapped onto the partition. The Partition SO can turn this feature on or off.

If disabled, private key unwrapping is not available, and the Partition SO cannot change this.

Default: ON

Always disabled. SIM has been deprecated on all current SafeNet Luna Network HSMs. The Partition SO cannot change this policy.

Default: always OFF

If enabled, secret keys on the partition can be backed up. The Partition SO can turn this feature on or off.

If disabled, secret keys cannot be backed up, and the Partition SO cannot change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Default: ON

Destructive: OFF-to-ON

If enabled, secret keys can be wrapped off the partition. The Partition SO can turn this feature on or off. The Partition SO can turn this policy off to disallow secret key wrapping

If disabled, the partition does not support secret key wrapping, and the Partition SO cannot change this.

Default: ON

Destructive: OFF-to-ON

If enabled, secret keys can be unwrapped onto the partition. The Partition SO can turn this feature on or off.

If disabled, the partition does not support secret key unwrapping, and the Partition SO cannot change this.

Default: ON

Always disabled. SIM has been deprecated on all current SafeNet Luna Network HSMs. The Partition SO cannot change this policy.

Default: always OFF

If enabled, keys that are created or unwrapped on the partition may have more than one of the following attributes set to 1, and therefore can be used for multiple operations:

>Encrypt/Decrypt

>Sign/Verify

>Wrap/Unwrap

>Derive

If disabled, keys on the partition may have only one of these attributes set to 1. Thales recommends that you create keys with only the attributes required for their intended purpose. Disabling this policy enforces this rule on the partition. This policy does not affect Diffie-Hellman keys, which are always created with only Derive set to 1.

Default: ON

Destructive: OFF-to-ON

If enabled, non-sensitive attributes of the keys on the partition are modifiable (the user can change the functions that the key can use).

If disabled, keys created on the partition cannot be modified.

This policy affects the following "key function attributes":

CKA_ENCRYPT
CKA_DECRYPT
CKA_WRAP
CKA_UNWRAP
CKA_SIGN
CKA_SIGN_RECOVER
CKA_VERIFY
CKA_VERIFY_RECOVER
CKA_DERIVE
CKA_EXTRACTABLE

Default: ON

Destructive: OFF-to-ON

This policy applies to PED-authenticated SafeNet Luna HSMs only. The Partition SO can turn the feature on or off.

If enabled, failed challenge secret login attempts on an activated partition are not counted towards a partition lockout. Only failed PED key authentication attempts will increment the counter.

If disabled, failed login attempts using either a PED key or a challenge secret will count towards a partition lockout.

See Activation and Auto-activation on PED-Authenticated Partitions and Logging In to the Application Partition for more information.

Default: ON

Destructive: OFF-to-ON

If enabled, the partition may run in a mode that does not use RSA blinding (a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance). The Partition SO can turn this feature on or off.

If disabled, the partition will always run in RSA blinding mode; performance will be affected.

If the policy is set to 1 (ON), RSA blinding is not used.

Default: ON

Destructive: OFF-to-ON

If a key was generated on an HSM, CKA_LOCAL is set to 1. With this policy turned off, only keys with CKA_LOCAL=1 can be used to sign data on the HSM.

Keys that are imported (unwrapped) to the HSM have CKA_LOCAL explicitly set to 0, so they may not be used for signing. Cloning and SIM maintain the value of CKA_LOCAL.

With this policy turned on, keys that did not originate on the HSM (CKA_LOCAL=0) may be used for signing, and their trust history is not assured.

Default: ON

If enabled, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509). This allows weak signatures and weak encryption. The Partition SO can turn this feature on or off.

If disabled, the partition will not support raw RSA operations.

Default: ON

Destructive: OFF-to-ON

Displays the maximum number of failed partition login attempts before the partition is locked out (see Logging In to the Application Partition).

The Partition SO can change the number of failed logins to a value lower than the maximum if desired.

Default: 10

If enabled, partitions in the same HA group may be used to restore the login state of this partition after power outage or other deactivation. RecoveryLogin must be configured in advance (see role recoveryinit and role recoverylogin in the LunaCM Command Reference Guide for details. The Partition SO can turn this feature on or off.

Default: ON

Applies only to PED-authenticated HSMs.

If enabled, the black and/or gray PED key secrets may be cached, so that the CO or CU only needs the challenge secret to login. The Partition SO can turn this feature on or off.

If disabled (or the policy is turned off), PED keys must be presented at each login, whether the call is local or from a client application.

This policy setting is overridden and activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See Tamper Events, and Activation and Auto-activation on PED-Authenticated Partitions for more information.

Default: OFF

See Capability 22 above for a description of activation.

If enabled, the black or gray PED key secrets may be encrypted and semi-permanently cached to hard disk, so that the partition's activation status can be maintained after a power loss of up to two hours. The Partition SO can turn this feature on or off.

If disabled, this partition does not support auto-activation.

This policy setting is overidden and auto-activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See Tamper Events, and Activation and Auto-activation on PED-Authenticated Partitions for more information.

Default: OFF

The absolute minimum length for a partition login PIN is 7 characters. This is displayed as a value subtracted from 255. The policy value is determined as follows:

Subtract the desired minimum PIN length from 255 (the absolute maximum length), and set policy 25 to that value.

255 - (min PIN) = (policy value)

For example, to set the minimum PIN length to 10 characters, the Partition SO should set the value of this policy to 246:

255 - 10 = 245

The reason for this inversion is that a policy can only be set to a value equal to or lower than the value set by its capability. If the absolute minimum PIN length was set to 7, the Partition SO would be able to set the preferred minimum to 2, a less-secure policy. The Partition SO may only change the minimum PIN length to increase security by forcing stronger passwords.

Default: 248

The absolute maximum length for a partition login PIN is 255 characters. The effective maximum may be changed by the Partition SO, and must always be greater than the value of the minimum PIN length, determined by the formula in the description of policy 25 (above).

Default: 255

The Partition SO can disable access to any key management functions by the user - all users become Crypto Users (the restricted-capability user) even if logged in as Crypto Officer.

Default: ON

Destructive: OFF-to-ON

The HSM can perform an internal verification (confirmation) of a signing operation to validate the signature. This confirmation is disabled by default because it has a performance impact on signature operations.

Default: ON

Destructive: OFF-to-ON

Remove encryption with AES 256-bit key from private key

Default: ON

Remove encryption with AES 256-bit key from secret key

Default: ON

Default: ON

Destructive: OFF-to-ON

Default: ON

Destructive: OFF-to-ON

If enabled, the Partition SO can turn this policy on to require Secure Trusted Channel (STC) for partition access.

If disabled, the Client will use NTLS to access the partition.

NOTE: It is not possible for a single Client to access some partitions on an appliance using STC and others on the same appliance using NTLS. All connections between a single client and a single SafeNet Luna Network HSM must be either STC or NTLS. See Secure Trusted Channel (STC) in the Administration Guide for more information.

Default: OFF

Destructive: ON-to-OFF