Consequences of Losing PED Keys
PED keys are the only means of authenticating roles, domains, and RPVs on the PED-authenticated Luna PCIe HSM. Losing a PED keyset effectively locks the user out of that role. Always keep secure backups of your PED keys, including M of N split secrets. Forgetting the PED PIN associated with a key is equivalent to losing the key entirely. Losing a split-secret key is less serious, unless enough splits are lost so that M cannot be satisfied.
If a PED key is lost or stolen, log in with one of your backup keys and change the existing PED secret immediately, to prevent unauthorized HSM access.
The consequences of a lost PED key with no backup vary depending on the type of secret:
Blue HSM SO Key
If the HSM SO secret is lost, you can no longer perform administrative tasks on the HSM, including partition creation and client assignment. If you use the same blue SO key for your HSM backup partitions, the contents of the
1.Contact all Crypto Officers and have them immediately make backups of their existing partitions.
2.When all important partitions are backed up, execute a factory reset of the HSM.
3.Initialize the HSM and create a new HSM SO secret. Use the original red HSM cloning domain key.
4.Restore the
5.Recreate the partitions and reassign them to their respective clients.
6.Partition SOs must initialize the new partitions using their original blue and red key(s), and initialize the Crypto Officer role (and Activation secret, if applicable). Supply the new black CO keys to the Crypto Officers.
7.Crypto Officers must change the login credentials from the new black CO key to their original black keys (and reset the Activation secret password, if applicable).
8.Crypto Officers can now restore all partition contents from backup.
9.If you are using Remote PED, you must recreate the Remote PED Vector (RPV). Reuse the original orange key.
Red HSM Domain Key
If the HSM Key Cloning Vector is lost, you can no longer perform backup/restore operations on the
Orange Remote PED Key
If the Remote PED Vector is lost, create a new one and distribute a copy to the administrator of each Remote PED server. See Initializing the Remote PED Vector and Creating an Orange Remote PED Key.
Blue Partition SO Key
If the Partition SO secret is lost, you can no longer perform administrative tasks on the partition. Take the following steps:
1.Have the Crypto Officer immediately make a backup of the partition objects.
2.Have the HSM SO delete the partition, create a new one, and assign it to the same client.
3.Initialize the new partition with a new blue Partition SO key and the original red cloning domain key(s).
4.Initialize the Crypto Officer role (and Activation secret, if applicable). Supply the new black CO key to the Crypto Officer.
5.The Crypto Officer must change the login credentials from the new black CO key to their original black key (and reset the Activation secret password, if applicable).
6.The Crypto Officer can now restore all partition contents from backup.
Red Partition Domain Key
If the Partition Key Cloning Vector is lost, you can no longer perform backup/restore operations on the partition(s), or make changes to HA groups in that cloning domain. You can still perform all other operations on the partition. Take the following steps:
1.Have the HSM SO create a new partition (or multiple partitions, to replace the entire HA group) and assign it to the same client(s).
2.Initialize the partition(s)with a new cloning domain.
3.Initialize the Crypto Officer role with the original black Crypto Officer key (and Activation password, if applicable).
4.Create objects on the new partition to replace those on the original partition.
5.As soon as possible, change all applications to use the objects on the new partition.
6.When objects on the original partition are no longer in production use, the HSM SO can delete the original partition.
Black Crypto Officer Key
If the Crypto Officer secret is lost, you can no longer create objects on the partition, or perform backup/restore operations. You might still be able to use the partition, depending on the following criteria:
>PIN reset by Partition SO:
•If HSM policy 15: Enable SO reset of partition PIN is set to 1, the Partition SO can reset the Crypto Officer secret and create a new black CO key.
lunacm:>role resetpw -name co
•If this policy is set to 0 (default), the CO is locked out unless other criteria in this list apply.
>Partition Activation:
•If the partition is Activated, you can still access it for production using the CO challenge secret. Change your applications to use objects on a new partition as soon as possible.
•If the partition is not Activated, read-only access of essential objects might still be available via the Crypto User role.
>Crypto User
•If the Crypto User is initialized, you can use the CU role for read-only access to essential partition objects while you change your applications to use objects on a new partition.
If none of these criteria apply, the contents of the partition are unrecoverable.
Gray Crypto User Key
If the Crypto User secret is lost, the Crypto Officer can reset the CU secret and create a new gray key:
lunacm:>role resetpw -name cu
White Audit User Key
If the Audit User secret is lost, you can no longer cryptographically verify existing audit logs or make changes to the audit configuration. The existing logs can still be viewed. Re-initialize the Audit User role on the affected HSMs, using the same white key for HSMs that will verify each other's logs.