Partition Capabilities and Policies
Partitions inherit the capabilities and policy settings of the HSM. Partitions also have policies that can be set to customize the partition functions. Partition policies can never be modified to be less secure than the corresponding HSM capability/policy. For example, if the HSM's cloning policy is disallowed (see HSM policy 7), partition policies 0 and 4, which allow cloning of private or secret keys, cannot be set.
NOTE If you are running more than one LunaCM session against the same partition, and change a partition policy in one LunaCM session, the policy change will be reflected in that session only. You must exit and restart the other LunaCM sessions to display the changed policy settings.
To view the partition capabilities and policy settings, use the LunaCM command partition showpolicies. Only policies that the Partition SO can change (the corresponding capability is not set to 0) are included in the output. Include the -exporttemplate option to create a template based on the current partition policy settings. See Policy Templates.
To modify partition policies, login as Partition SO and use the LunaCM command partition changepolicy -policy <policy#> -value <0/1/value>. See partition changepolicy in the LunaCM Command Reference Guide for command syntax.
Destructiveness
In some cases, changing a partition policy forces deletion of all cryptographic objects on the partition as a security measure. These policies are listed as destructive in the table below. Destructive policies are typically those that change the security level of the objects stored in the partition.
Use the LunaCM command partition showpolicies -verbose to check whether the policy you want to enable/disable is destructive.
Partition Capabilities and Policies List
The table below summarizes the relationships and provides a brief description of the purpose and operation of each capability and policy.
# |
Partition Capability | Partition Policy | Description |
---|---|---|---|
0 |
Enable private key cloning |
Allow private key cloning |
If enabled, the partition is capable of cloning private keys to another partition. This policy must be enabled to backup partitions or create HA groups. Public keys/objects can always be cloned. Partition policies 0 and 1 may not be set to 1 (ON) at the same time. Default: ON Destructive: OFF-to-ON |
1 |
Enable private key wrapping |
Allow private key wrapping |
If enabled, private keys may be wrapped and saved to an encrypted file off the partition. Public keys/objects can always be wrapped and exported. Partition policies 0 and 1 may not be set to 1 (ON) at the same time. Default: OFF Destructive: OFF-to-ON |
2 |
Enable private key unwrapping |
Allow private key unwrapping |
If enabled, private keys may be unwrapped onto the partition. The Partition SO can turn this feature on or off. If disabled, private key unwrapping is not available, and the Partition SO cannot change this. Default: ON |
3 |
Enable private key masking |
Allow private key masking |
Always disabled. SIM has been deprecated on all current SafeNet Luna PCIe HSMs. The Partition SO cannot change this policy. Default: always OFF |
4 |
Enable secret key cloning |
Allow secret key cloning |
If enabled, secret keys on the partition can be backed up. The Partition SO can turn this feature on or off. If disabled, secret keys cannot be backed up, and the Partition SO cannot change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature. Default: ON Destructive: OFF-to-ON |
5 |
Enable secret key wrapping |
Allow secret key wrapping |
If enabled, secret keys can be wrapped off the partition. The Partition SO can turn this feature on or off. The Partition SO can turn this policy off to disallow secret key wrapping If disabled, the partition does not support secret key wrapping, and the Partition SO cannot change this. Default: ON Destructive: OFF-to-ON |
6 |
Enable secret key unwrapping |
Allow secret key unwrapping |
If enabled, secret keys can be unwrapped onto the partition. The Partition SO can turn this feature on or off. If disabled, the partition does not support secret key unwrapping, and the Partition SO cannot change this. Default: ON |
7 |
Enable secret key masking |
Allow secret key masking |
Always disabled. SIM has been deprecated on all current SafeNet Luna PCIe HSMs. The Partition SO cannot change this policy. Default: always OFF |
10 |
Enable multipurpose keys |
Allow multipurpose keys |
If enabled, keys that are created or unwrapped on the partition may have more than one of the following attributes set to 1, and therefore can be used for multiple operations: >Encrypt/Decrypt >Sign/Verify >Wrap/Unwrap >Derive If disabled, keys on the partition may have only one of these attributes set to 1. Thales recommends that you create keys with only the attributes required for their intended purpose. Disabling this policy enforces this rule on the partition. This policy does not affect Diffie-Hellman keys, which are always created with only Derive set to 1. Default: ON Destructive: OFF-to-ON |
11 |
Enable changing key attributes |
Allow changing key attributes |
If enabled, non-sensitive attributes of the keys on the partition are modifiable (the user can change the functions that the key can use). If disabled, keys created on the partition cannot be modified. This policy affects the following "key function attributes": CKA_ENCRYPT Default: ON Destructive: OFF-to-ON |
15 |
Allow failed challenge responses |
Ignore failed challenge responses |
This policy applies to PED-authenticated SafeNet Luna HSMs only. The Partition SO can turn the feature on or off. If enabled, failed challenge secret login attempts on an activated partition are not counted towards a partition lockout. Only failed PED key authentication attempts will increment the counter. If disabled, failed login attempts using either a PED key or a challenge secret will count towards a partition lockout. See Activation and Auto-activation on PED-Authenticated Partitions and Logging In to the Application Partition for more information. Default: ON Destructive: OFF-to-ON |
16 |
Enable operation without RSA blinding |
Operate without RSA blinding |
If enabled, the partition may run in a mode that does not use RSA blinding (a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance). The Partition SO can turn this feature on or off. If disabled, the partition will always run in RSA blinding mode; performance will be affected. If the policy is set to 1 (ON), RSA blinding is not used. Default: ON Destructive: OFF-to-ON |
17 |
Enable signing with non-local keys |
Allow signing with non-local keys |
If a key was generated on an HSM, CKA_LOCAL is set to 1. With this policy turned off, only keys with CKA_LOCAL=1 can be used to sign data on the HSM. Keys that are imported (unwrapped) to the HSM have CKA_LOCAL explicitly set to 0, so they may not be used for signing. Cloning and SIM maintain the value of CKA_LOCAL. With this policy turned on, keys that did not originate on the HSM (CKA_LOCAL=0) may be used for signing, and their trust history is not assured. Default: ON |
18 |
Enable raw RSA operations |
Allow raw RSA operations |
If enabled, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509). This allows weak signatures and weak encryption. The Partition SO can turn this feature on or off. If disabled, the partition will not support raw RSA operations. Default: ON Destructive: OFF-to-ON |
20 |
Max failed user logins allowed |
Max failed user logins allowed |
Displays the maximum number of failed partition login attempts before the partition is locked out (see Logging In to the Application Partition). The Partition SO can change the number of failed logins to a value lower than the maximum if desired. Default: 10 |
21 |
Enable high availability recovery |
Allow high availability recovery |
If enabled, partitions in the same HA group may be used to restore the login state of this partition after power outage or other deactivation. RecoveryLogin must be configured in advance (see role recoveryinit and role recoverylogin in the LunaCM Command Reference Guide for details. The Partition SO can turn this feature on or off. Default: ON |
22 |
Enable activation |
Allow activation |
Applies only to PED-authenticated HSMs. If enabled, the black and/or gray PED key secrets may be cached, so that the CO or CU only needs the challenge secret to login. The Partition SO can turn this feature on or off. If disabled (or the policy is turned off), PED keys must be presented at each login, whether the call is local or from a client application. This policy setting is overridden and activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See Tamper Events, and Activation and Auto-activation on PED-Authenticated Partitions for more information. Default: OFF |
23 |
Enable auto-activation |
Allow auto-activation |
See Capability 22 above for a description of activation. If enabled, the black or gray PED key secrets may be encrypted and semi-permanently cached to hard disk, so that the partition's activation status can be maintained after a power loss of up to two hours. The Partition SO can turn this feature on or off. If disabled, this partition does not support auto-activation. This policy setting is overidden and auto-activation is disabled if a tamper event occurs, or if an uncleared tamper event is detected on reboot. See Tamper Events, and Activation and Auto-activation on PED-Authenticated Partitions for more information. Default: OFF |
25 |
Minimum PIN length (inverted: 255 - min) |
Minimum PIN length (inverted: 255 - min) |
The absolute minimum length for a partition login PIN is 7 characters. This is displayed as a value subtracted from 255. The policy value is determined as follows: Subtract the desired minimum PIN length from 255 (the absolute maximum length), and set policy 25 to that value. 255 - (min PIN) = (policy value) For example, to set the minimum PIN length to 10 characters, the Partition SO should set the value of this policy to 246: 255 - 10 = 245 The reason for this inversion is that a policy can only be set to a value equal to or lower than the value set by its capability. If the absolute minimum PIN length was set to 7, the Partition SO would be able to set the preferred minimum to 2, a less-secure policy. The Partition SO may only change the minimum PIN length to increase security by forcing stronger passwords. Default: 248 |
26 |
Maximum PIN length |
Maximum PIN length |
The absolute maximum length for a partition login PIN is 255 characters. The effective maximum may be changed by the Partition SO, and must always be greater than the value of the minimum PIN length, determined by the formula in the description of policy 25 (above). Default: 255 |
28 |
Enable Key Management Functions |
Allow Key Management Functions |
The Partition SO can disable access to any key management functions by the user - all users become Crypto Users (the restricted-capability user) even if logged in as Crypto Officer. Default: ON Destructive: OFF-to-ON |
29 |
Enable RSA signing without confirmation |
Perform RSA signing without confirmation |
The HSM can perform an internal verification (confirmation) of a signing operation to validate the signature. This confirmation is disabled by default because it has a performance impact on signature operations. Default: ON Destructive: OFF-to-ON |
31 |
Enable private key unmasking |
Allow private key unmasking |
Remove encryption with AES 256-bit key from private key Default: ON |
32 |
Enable secret key unmasking |
Allow secret key unmasking |
Remove encryption with AES 256-bit key from secret key Default: ON |
33 |
Enable RSA PKCS mechanism |
Allow RSA PKCS mechanism |
Default: ON Destructive: OFF-to-ON |
34 |
Enable CBC-PAD (un)wrap keys of any size |
Allow CBC-PAD (un)wrap keys of any size |
Default: ON Destructive: OFF-to-ON |
37 |
Enable Secure Trusted Channel |
Force Secure Trusted Channel |
Secure Trusted Channel is a Network HSM feature, and has no function on SafeNet Luna PCIe HSM. Thales does not recommend turning this policy on at any time. Default: OFF Destructive: ON-to-OFF |
39 |
Enable Start/End Date Attributes |
Allow Start/End Date Attributes |
If enabled, the Partition SO can turn this policy on to enforce CKA_START_DATE/CKA_END_DATE attributes for the partition. With the policy turned off, these attributes can be set, but their values will be ignored. Default: OFF Destructive: ON-to-OFF |