hsm showpolicies
Display the current settings for all HSM capabilities and policies, or optionally restrict the listing to only the policies that are configurable. Include the -exporttemplate option to export the current state of all policies to a template file.
User Privileges
Users with the following privileges can perform this command:
>Admin
>Operator
>Monitor
Syntax
hsm showpolicies [-configonly] [-exporttemplate <filename>]
Argument(s) | Shortcut | Description |
---|---|---|
-configonly | -c | Restrict the list to configurable policies only. |
-exporttemplate <filename> | -e | Export the current state of all HSM policies to a template file. This feature requires minimum firmware version 7.1.0 and appliance software 7.1. See Version Dependencies by Feature for more information. |
Example
lunash:>hsm showpolicies HSM Label: myLunaHSM Serial #: 66331 Firmware: 7.4.0 The following capabilities describe this HSM, and cannot be altered except via firmware or capability updates. Description Value =========== ===== Enable PIN-based authentication Allowed Enable PED-based authentication Disallowed Performance level 15 Enable domestic mechanisms & key sizes Allowed Enable masking Disallowed Enable cloning Allowed Enable full (non-backup) functionality Allowed Enable non-FIPS algorithms Allowed Enable SO reset of partition PIN Allowed Enable network replication Allowed Enable Korean Algorithms Allowed FIPS evaluated Disallowed Manufacturing Token Disallowed Enable forcing user PIN change Allowed Enable portable masking key Allowed Enable partition groups Disallowed Enable remote PED usage Disallowed HSM non-volatile storage space 33554432 Enable unmasking Allowed Maximum number of partitions 100 Enable Single Domain Disallowed Enable Unified PED Key Disallowed Enable MofN Disallowed Enable small form factor backup/restore Disallowed Enable Secure Trusted Channel Allowed Enable decommission on tamper Allowed Enable partition re-initialize Disallowed Enable low level math acceleration Allowed Enable Fast-Path Disallowed Allow Disabling Decommission Allowed Enable Tunnel Slot Disallowed Enable Controlled Tamper Recovery Allowed Enable Partition Utilization Metrics Allowed Enable Functionality Modules Allowed Enable SMFS Auto Activation Allowed Allow Restricting FM Privilege Level Allowed Allow encrypting of keys from FM to HSM Allowed The following policies are set due to current configuration of this HSM and cannot be altered directly by the user. Description Value =========== ===== PIN-based authentication True The following policies describe the current configuration of this HSM and may be changed by the HSM Administrator. Changing policies marked "destructive" will erase all HSM partitions on the HSM. IMPORTANT NOTE: Changing policy 46 (Disable Decommission) will erase all partitions AND zeroize your HSM. Description Value Code Destructive =========== ===== ==== =========== Allow cloning On 7 Yes Allow non-FIPS algorithms On 12 Yes SO can reset partition PIN Off 15 Yes Allow network replication On 16 No Force user PIN change after set/reset On 21 No Allow offboard storage On 22 Yes Allow unmasking On 30 No Current maximum number of partitions 100 33 No Allow Secure Trusted Channel Off 39 No Decommission on tamper Off 40 Yes Allow low level math acceleration On 43 No Disable Decommission Off 46 Yes Do Controlled Tamper Recovery On 48 No Allow Partition Utilization Metrics Off 49 No Allow Functionality Modules Off 50 Yes Allow SMFS Auto Activation Off 51 Yes Restrict FM Privilege Level Off 52 Yes Encrypt keys passing from FM to HSM Off 53 Yes Command Result : 0 (Success)
Example with HSM firmware >= 7.7
[sa7pwd78] lunash:>hsm showpolicies HSM Label: myLunaPWD Serial #: 66331 Firmware: 7.7.0 The following capabilities describe this HSM, and cannot be altered except via firmware or capability updates. Description Value =========== ===== Enable PIN-based authentication Allowed Enable PED-based authentication Disallowed Performance level 15 Enable domestic mechanisms & key sizes Allowed Enable masking Allowed Enable cloning Allowed Enable full (non-backup) functionality Allowed Enable non-FIPS algorithms Allowed Enable SO reset of partition PIN Allowed Enable network replication Allowed Enable Korean Algorithms Disallowed FIPS evaluated Disallowed Manufacturing Token Disallowed Enable forcing user PIN change Allowed Enable portable masking key Allowed Enable partition groups Disallowed Enable remote PED usage Disallowed HSM non-volatile storage space 58720256 Enable unmasking Allowed Maximum number of partitions 10 Enable Single Domain Disallowed Enable Unified PED Key Disallowed Enable MofN Disallowed Enable small form factor backup/restore Disallowed Enable decommission on tamper Allowed Enable partition re-initialize Disallowed Enable low level math acceleration Allowed Enable Fast-Path Disallowed Allow Disabling Decommission Allowed Enable Controlled Tamper Recovery Allowed Enable Partition Utilization Metrics Allowed Enable Functionality Modules Allowed Enable SMFS Auto Activation Allowed Allow Restricting FM Privilege Level Allowed Allow encrypting of keys from FM to HSM Allowed The following policies are set due to current configuration of this HSM and cannot be altered directly by the user. Description Value =========== ===== PIN-based authentication True The following policies describe the current configuration of this HSM and may be changed by the HSM Administrator. Changing policies marked "destructive" will erase all HSM partitions on the HSM. IMPORTANT NOTE: Changing policy 46 (Disable Decommission) will erase all partitions AND zeroize your HSM. Description Value Code Destructive =========== ===== ==== =========== Allow masking On 6 Yes Allow cloning On 7 Yes Allow non-FIPS algorithms On 12 Yes SO can reset partition PIN Off 15 Yes Allow network replication On 16 No Force user PIN change after set/reset On 21 No Allow offboard storage On 22 Yes Allow unmasking On 30 No Current maximum number of partitions 10 33 No Decommission on tamper Off 40 Yes Allow low level math acceleration On 43 No Disable Decommission Off 46 Yes Do Controlled Tamper Recovery On 48 No Allow Partition Utilization Metrics Off 49 No Allow Functionality Module Off 50 Yes Allow SMFS Auto Activation Off 51 Yes Restrict FM Privilege Level Off 52 Yes Encrypt keys passing from FM to HSM Off 53 Yes Command Result : 0 (Success)
NOTE Observe that Secure Trusted Channel capability is no longer listed.
STC is enabled by default for any HSM at firmware version 7.7 or newer.
At the partition level, STC is now optional, unless a partition policy (37) is set, to make it mandatory.