Capabilities and Policies

The SafeNet Luna PCIe HSM's configuration is based on HSM capabilities, displayed by issuing the command hsm showpolicies on the Admin partition. They are set at manufacture according to the model you selected at time of purchase. Capabilities can only be modified by purchase and application of capability updates.

A subset of HSM capabilities have corresponding HSM policies that allow you to customize the HSM configuration. Policies can be modified based on your specific needs. For example, you can restrict the HSM to use only FIPS-approved algorithms (FIPS mode) by setting HSM policy 12 to 1 (on).

Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if HSM policy 7 is set to disallow cloning, partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set to 1 (on).

The following sections describe individual HSM/partition capabilities and policies:

>HSM Capabilities and Policies

>Partition Capabilities and Policies

The HSM or Partition SO can create and apply Policy Templates to initialize multiple HSMs/partitions with the same preferred policy settings. See the following section for instructions on using Policy Templates:

>Policy Templates


Customer Support Portal

SafeNet Luna PCIe HSM 7.4 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.