Backup HSM Secure Transport and Tamper Recovery

The SafeNet Luna Backup HSM recognizes a similar list of tamper conditions to the SafeNet Luna PCIe HSM (see Tamper Events). When a tamper event occurs, a tamper state is reported in the HSM Status field in LunaCM's list of slots.

By default, tamper events are cleared automatically when you reboot the Backup HSM and log in as HSM SO. However, you can choose to prevent any further operations on the Backup HSM. The following procedures will allow you to create a purple Secure Recovery Key (SRK) that the Backup HSM SO must present to unlock the HSM after a tamper event. This key contains part of the Master Tamper Key (MTK), which encrypts all sensitive data stored on the Backup HSM. By splitting the MTK and storing part of it on an SRK (purple PED key), you ensure that none of the stored material can be accessible until the SRK is presented.

You can create the purple SRK even for a Backup HSM that is initialized for password authentication. There is no password-based SRK equivalent; you must have a SafeNet Luna PED and a purple PED key to use Secure Tamper Recovery and Secure Transport Mode.

Initializing the SRK also allows you to place the Backup HSM in Secure Transport Mode (STM). STM on the Backup HSM functions differently from STM on the SafeNet Luna PCIe HSM (see Secure Transport Mode for comparison). When the SRK is initialized and secure recovery enabled, STM on the Backup HSM is effectively a voluntary tamper state, where no operations are possible until you present the purple PED key.

CAUTION!   Always keep a securely-stored backup copy of the purple PED key. If you lose this key, the Backup HSM is permanently locked and you will have to obtain an RMA for the Backup HSM.

This section provides directions for the following procedures:

>Creating a Secure Recovery Key

>Setting Secure Transport Mode

>Recovering From a Tamper Event or Secure Transport Mode

>Disabling Secure Recovery

Creating a Secure Recovery Key

To enable secure recovery, you must create the Secure Recovery Key (purple PED key). This procedure will zeroize the SRK split on the Backup HSM, so that you must present the purple PED key to recover from a tamper event or Secure Transport Mode.

Prerequisites

>Install the Backup HSM at the host and connect it to power (see Installing the Backup HSM).

>You require the Backup HSM SO credential (blue PED key).

>Ensure that the Backup HSM can access PED service (Local or Remote PED), and that you have enough blank or rewritable purple PED keys available for your desired authentication scheme (see Creating PED Keys).

[Local PED] Connect the PED using a 9-pin Micro-D to Micro-D cable. Set the PED to Local PED-SCP mode (see Modes of Operation).

[Remote PED] Set up a Remote PED server to authenticate the Backup HSM (see Remote PED Setup).

[Remote PED] Initialize the Backup HSM RPV (see Initializing the Backup HSM Remote PED Vector). You require the orange PED key.

To create a Secure Recovery Key

1.Launch LunaCM on the host workstation.

2.Set the active slot to the SafeNet Luna Backup HSM.

lunacm:> slot set -slot <slotnum>

3.[Remote PED] Connect the Backup HSM to the Remote PED server.

lunacm:> ped connect -ip <PEDserver_IP> -port <portnum>

4.Create a new split of the MTK on the Backup HSM.

lunacm:> srk generate

5.Log in as Backup HSM SO.

lunacm:> role login -name so

6.Enable secure recovery.

lunacm:> srk enable

Attend to the Luna PED prompts to create the purple PED key. Secure Recovery is now enabled on the Backup HSM.

Setting Secure Transport Mode

The following procedure will allow you to set Secure Transport Mode on the Backup HSM.

Prerequisites

>Ensure the Backup HSM can access PED services.

>Secure Recovery must be enabled on the Backup HSM (see Creating a Secure Recovery Key). You require the Secure Recovery Key (purple PED key) for the Backup HSM.

To set Secure Transport Mode on the Backup HSM

1.Launch LunaCM on the host workstation.

2.Set the active slot to the SafeNet Luna Backup HSM.

lunacm:> slot set -slot <slotnum>

3.[Remote PED] Connect the Backup HSM to the Remote PED server.

lunacm:> ped connect -ip <PEDserver_IP> -port <portnum>

4.Set Secure Transport Mode.

lunacm:> srk transport

a.You are prompted for the SRK (purple PED key). This is to ensure that you have the key that matches the SRK split on the HSM.

b.The Luna PED displays a 16-digit verification code. Write this code down as an additional optional check.

The SRK is zeroized on the Backup HSM and STM is now active.

Recovering From a Tamper Event or Secure Transport Mode

With Secure Recovery Mode enabled, the procedure to recover from a tamper event or to exit STM is the same.

Prerequisites

>Ensure the Backup HSM can access PED services.

>You require the Secure Recovery Key (purple PED key) for the Backup HSM.

>If you are recovering from a tamper event, reboot the Backup HSM and LunaCM before recovering.

lunacm:> hsm restart

lunacm:> clientconfig restart

To recover from a tamper event or exit STM

1.Launch LunaCM on the host workstation.

2.Set the active slot to the SafeNet Luna Backup HSM.

lunacm:> slot set -slot <slotnum>

3.[Remote PED] Connect the Backup HSM to the Remote PED server.

lunacm:> ped connect -ip <PEDserver_IP> -port <portnum>

4.Recover the Backup HSM from the tamper event or STM.

lunacm:> srk recover

Attend to the Luna PED prompts:

a.You are prompted for the SRK (purple PED key).

b.[STM] The Luna PED displays a 16-digit verification code. If this code matches the one that was presented when you set STM, you can be assured that the Backup HSM has remained in STM since then.

The Backup HSM is recovered from the tamper/STM state and you can resume backup/restore operations.

Disabling Secure Recovery

To disable secure recovery, you must present the Secure Recovery Key (purple PED key) so that it can be stored on the Backup HSM. You will no longer need to present the purple key to recover from a tamper event.

Prerequisites

>Ensure the Backup HSM can access PED services.

>You require the Secure Recovery Key (purple PED key) for the Backup HSM.

To disable secure recovery

1.Launch LunaCM on the host workstation.

2.Set the active slot to the SafeNet Luna Backup HSM.

lunacm:> slot set -slot <slotnum>

3.[Remote PED] Connect the Backup HSM to the Remote PED server.

lunacm:> ped connect -ip <PEDserver_IP> -port <portnum>

4.Log in as Backup HSM SO.

lunacm:> role login -name so

5.Disable secure recovery.

lunacm:> srk disable

You are prompted for the SRK (purple PED key).