Changing a PED Key Secret

It may be necessary to change the PED secret associated with a role. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a role due to loss or theft of a PED key

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PED PINs, or shared secrets)

The procedure for changing a PED key credential depends on the type of key. Procedures for each type are provided below.

CAUTION!   If you are changing a PED credential that is shared among multiple HSMs/partitions/roles, always keep at least one copy of the old keyset until the affected HSMs/partitions/roles are all changed to the new credential. When changing PED credentials, you must always present the old keyset first; do not overwrite your old PED keys until you have no further need for them.

>Blue HSM SO Key

>Red HSM Domain Key

>Orange Remote PED Key

>Blue Partition SO Key

>Red Partition Domain Key

>Black Crypto Officer Key

>Gray Crypto User Key

>White Audit User Key

Blue HSM SO Key

The HSM SO can use this procedure to change the HSM SO credential.

To change the blue HSM SO PED key credential

1.In LunaCM, set the active slot to the Admin partition and login as HSM SO.

lunacm:> role login -name so

2.Initiate the PED key change.

lunacm:> role changepw -name so

3.You are prompted to present the original blue key(s) and then to create a new HSM SO keyset. See Creating PED Keys.

Red HSM Domain Key

It is not possible to change an HSM's cloning domain without factory-resetting the HSM and setting the new cloning domain as part of the standard initialization procedure.

CAUTION!   If you set a different cloning domain for the HSM, you cannot restore the HSM Admin partition from backup.

Orange Remote PED Key

The HSM SO can use this procedure to change the Remote PED Vector (RPV) for the HSM.

To change the RPV/orange key credential

1.In LunaCM, set the active slot to the Admin partition and login as HSM SO.

lunacm:> role login -name so

2.Initialize the RPV.

lunacm:> ped vector init

You are prompted to create a new Remote PED key.

3.Distribute a copy of the new orange key to the administrator of each Remote PED server.

Blue Partition SO Key

The Partition SO can use this procedure to change the Partition SO credential.

To change a blue Partition SO PED key credential

1.In LunaCM, log in as Partition SO.

lunacm:> role login -name po

2.Initiate the PED key change.

lunacm:> role changepw -name po

3.You are prompted to present the original blue key(s) and then to create a new Partition SO keyset.

Red Partition Domain Key

It is not possible to change a partition's cloning domain. A new partition must be created and initialized with the desired domain. The new partition will not have access to any of the original partition's backups. It cannot be made a member of the same HA group as the original.

Black Crypto Officer Key

The Crypto Officer can use this procedure to change the Crypto Officer credential.

To change a black Crypto Officer PED key credential

1.In LunaCM, log in as Crypto Officer.

lunacm:> role login -name co

2.Initiate the PED key change.

lunacm:> role changepw -name co

3.You are prompted to present the original black key(s) and then to create a new Crypto Officer keyset.

Gray Crypto User Key

The Crypto User can use this procedure to change the Crypto User credential.

To change a gray Crypto User PED key credential

1.In LunaCM, log in as Crypto User.

lunacm:> role login-name cu

2.Initiate the PED key change.

lunacm:> role changepw -name cu

3.You are prompted to present the original gray key(s) and then to create a new Crypto User keyset.

NOTE   The PED screen prompts for a Black PED Key for any of "User", "Crypto Officer", "Limited Crypo Officer", "Crypto User". The PED is not aware that the key you present has a black or a gray sticker on it. The colored stickers are visual identifiers for your convenience in keeping track of your PED Keys. You differentiate by how you label, and how you use, a given physical key that the PED sees as "black" (once it has been imprinted with a secret).  

White Audit User Key

The Audit User can use this procedure to change the Audit User credential.

To change the white Audit User PED key credential

1.In LunaCM, set the active slot to the Admin partition and login as Auditor.

lunacm:> role login -name au

2.Initiate the PED key change.

lunacm:> role changepw -name au

3.You are prompted to present the original white key(s) and then to create a new Audit User keyset.