Initializing the HSM

Initialization prepares a new HSM for use, or an existing HSM for reuse. You must initialize the HSM before you can generate or store objects, allow clients to connect, or perform cryptographic operations:

>On a new or factory-reset HSM, initialization sets the HSM SO credentials, the HSM label, and the cloning domain of the HSM Admin partition. This is often referred to as a 'hard' initialization. See Initializing a New or Factory-reset HSM.

>On an initialized HSM, re-initialization destroys all existing partitions and objects, but retains the SO credentials and cloning domain. You have the option to change or retain the existing label. This is often referred to as a 'soft' initialization. See Re-initializing the HSM.

NOTE   To ensure accurate auditing, perform initialization only after you have set the system time parameters (time, date, time zone, use of NTP (Network Time Protocol). You can use the -authtimeconfig option when initializing the HSM to require HSM SO authorization of any time-related changes once the HSM is initialized.

Hard versus soft initialization

The following table summarizes the differences between a hard and soft initialization.

Condition/Effect

Soft init

Hard init

HSM SO authentication required Yes No
Can set new HSM label Yes Yes
Creates new HSM SO identity No Yes
Creates new Domain No Yes
Destroys partitions Yes No (none exist to destroy)
Destroys objects Yes No (none exist to destroy)

Initializing a New or Factory-reset HSM

NOTE   New HSMs are shipped in Secure Transport Mode (STM). You must recover the HSM from STM before you can initialize the HSM. See Secure Transport Mode for details.

On a new, or factory-reset HSM (using hsm factoryreset), the following attributes are set during a hard initialization:

HSM Label

The label is a string that uniquely identifies this HSM.

The HSM label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~

Spaces are allowed; enclose the label in double quotes if it includes spaces. Including both spaces and quotation marks in a label may cause unexpected labeling behavior.

For more information, refer to Name, Label, and Password Requirements.

HSM SO credentials

For Multi-factor, or PED-authenticated HSMs, you create a new HSM SO (blue) PED key(set) or re-use an existing key(set) from an HSM you want to share credentials with. If you are using PED authentication, ensure that you have a PED key strategy before beginning. See PED Authentication.

For password-authenticated HSMs, you specify the HSM SO password. For proper security, it should be different from the appliance admin password, and employ standard password-security characteristics.

In LunaCM, passwords and activation challenge secrets must be 7-255 characters in length (NOTE: If you are using firmware version 7.0.x, 7.3.3, or 7.4.2, activation challenge secrets must be 7-16 characters in length). The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~

Double quotation marks (") are problematic and should not be used within passwords.  

Spaces are allowed; to specify a password with spaces using the -password option, enclose the password in double quotation marks.

Cloning domain for the HSM Admin partition

The cloning domain is a shared identifier that makes cloning possible among a group of HSM partitions. It specifies the security domain (group of HSM partitions) within which the HSM Admin partition can share cryptographic objects though cloning, backup/restore, or in high availability configurations. Note that the HSM Admin partition cloning domain is independent of the cloning domain specified when creating application partitions on the HSM.

For Multi-factor, PED-authenticated HSMs, you create a new Domain (red) PED key(set) or re-use an existing key(set) from an HSM you want to be able to clone with.

For password-authenticated HSMs, you create a new domain string or re-use an existing string from an HSM you want to be able to clone with.

The domain string must be 1-128 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^*-_=+[]{}/:',.~

The following characters are problematic or invalid and must not be used in a domain string: "&;<>\`|()

Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks.

To initialize a new or factory-reset HSM

1.Open a LunaCM session and set the active slot to the HSM Admin partition.

2. If Secure Transport Mode is set, you must unlock the HSM before proceeding. New Luna HSMs are shipped from the factory in Secure Transport Mode (STM). STM allows you to verify whether or not an HSM has been tampered while it is not in your possession, such as when it is shipped to another location, or placed into storage. See Secure Transport Mode for more information.

To recover your HSM from Secure Transport Mode, proceed as follows:

a.As part of the delivery process for your new HSM, you should have received an email from Thales Client Services, containing two 16-digit strings, as follows. You will need both of these strings to recover the HSM from STM:

Random User String: XXXX-XXXX-XXXX-XXXX

Verification String: XXXX-XXXX-XXXX-XXXX

b.Ensure that you have the Random User String and Verification String that were emailed to you for your new HSM.

c.Enter the following command to recover from STM, specifying the Random User String that was emailed to you for your new HSM:

lunacm:> stm recover -randomuserstring <XXXX-XXXX-XXXX-XXXX>

d.You are presented with a verification string. If the verification string matches the original verification string emailed to you for your new HSM, the HSM has not been tampered, and can be safely deployed. If the verification string does not match the original verification string emailed to you for your new HSM, the HSM has been tampered while in STM. If the verification strings do not match, contact Thales Technical Support immediately.

e. Enter proceed to recover from STM (regardless of whether the strings match or not), or enter quit to remain in STM.

3.If you are initializing a Multi-factor-authentication (PED-authenticated) HSM, have the Luna PED connected and ready (via USB, in Local PED-USB mode). If your PED is not in USB mode, see Changing Modes. Alternatively, have a Remote PED instance set up, see About Remote PED.

4.Run the hsm init command, specifying a label for your Luna PCIe HSM:

lunacm:> hsm init -label <label>

5.Respond to the prompts to complete the initialization process:

on a password-authenticated HSM, you are prompted for the HSM password and for the HSM Admin partition cloning domain string (cloning domains for application partitions are set when the application partitions are initialized).

on a Multi-factor-authenticated (PED-authenticated) HSM, you are prompted to attend to the PED to create a new HSM SO (blue) PED key for this HSM, re-use an HSM SO PED key from an existing HSM so that you can also use it to log in to this HSM, or overwrite an existing key with a new PED secret for use with this HSM. You are also prompted to create, re-use, or overwrite the Domain (red) PED key. You can create MofN quorum keysets and duplicate keys as required. See PED Authentication for more information.

The prompts are self-explanatory. New users (especially those initializing a PED-authenticated HSM) may want to refer to the following examples for more information:

PED-authenticated HSM Initialization Example

Password-authenticated HSM Initialization Example

Re-initializing the HSM

On an existing, non-factory-reset HSM, re-initialization clears all existing partitions and objects, but retains the SO credentials and cloning domain. You have the option to change or retain the existing label. Re-initialization is also referred to as a soft init. If you do not want to do a soft init, and also change the SO credentials and cloning domain, you need to use the hsm factoryreset command to factory reset the HSM, and then perform the procedure described in Initializing a New or Factory-reset HSM.

CAUTION!   Ensure you have backups for any partitions and objects you want to keep, before reinitializing the HSM.

To re-initialize the HSM (soft init)

1.Open a LunaCM session and set the slot to the HSM Admin partition.

2. Log in as the HSM SO.

3.If Secure Transport Mode is set, you must unlock the HSM before proceeding. See Secure Transport Mode.

4.If you are initializing a PED-authenticated HSM, have the Luna PED connected and ready (via USB, in Local PED-USB mode). If your PED is not in USB mode, see Changing Modes.

5.Re-initialize the HSM, specifying a label for your Luna PCIe HSM:

lunacm:> hsm init -label <label>

PED-authenticated HSM Initialization Example

This section provides detailed examples that illustrate your options when initializing a PED-authenticated HSM. It provides the following information:

>To initialize a PED-authenticated HSM

>Imprinting the Blue HSM SO PED Key

>Imprinting the Red Cloning Domain PED Key

>New, reuse, and overwrite options

NOTE   Respond promptly to avoid PED timeout Error. If the PED has timed out, press the CLR key for five seconds to reset, or switch the PED off, and back on, to get to the “Awaiting command....” state before re-issuing a LunaSH command that invokes the PED.

To initialize a PED-authenticated HSM

1.Your Luna PED must be connected to the HSM, either locally/directly in USB mode (see Changing Modes), or remotely via Remote PED connection (see About Remote PED).

NOTE   To operate in Local PED-USB mode, the Luna PED must be connected directly to the HSM card's USB port, and not one of the other USB connection ports on the host system.

2.Set the active slot to the Luna PCIe HSM Admin partition, and issue the hsm init command. The HSM passes control to the Luna PED, and the command line directs you to attend to the PED prompts.

3.When you issue the hsm init command, the HSM passes control to the Luna PED, and the command line (lunash:>) directs you to attend to the PED prompts.

4.A "default" login is performed, just to get started (you don't need to supply any authentication for this step).

5.Luna PED asks: "Do you wish to reuse an existing keyset?". If the answer is No, the HSM creates a new secret which will reside on both the HSM and the key (or keys) that is (or are) about to be imprinted. If the answer is Yes, then the HSM does not create a new secret and instead waits for one to be presented via the PED.

6.Luna PED requests a blue PED key. It could be blank to begin with, or it could have a valid secret from another HSM (a secret that you wish to preserve), or it could have a secret that is no longer useful.

7.Luna PED checks the key you provide. If the PED key is not blank, and your answer to "...reuse an existing keyset" was Yes, then Luna PED proceeds to copy the secret from the PED key to the HSM.

8.If the key is not blank, and your answer to "...reuse an existing keyset" was No, then the PED inquires if you wish to overwrite its contents with a new HSM secret. If the current content of the key is of no value, you say Yes. If the current content of the key is a valid secret from another HSM (or if you did not expect the key to hold any data) you can remove it from the PED and replace it with a blank key or a key containing non-useful data, before you answer Yes to the 'overwrite' question.

9.Assuming that you are using a new secret, and not reusing an existing one, Luna PED asks if you wish to split the new HSM secret. It does this by asking for values of "M" and "N". You set those values to "1" and "1" respectively, unless you require MofN split-secret, multi-person quorum access control for your HSM (See M of N Split Secrets (Quorum) for details).

10.Luna PED asks if you wish to use a PED PIN (an additional secret; see PED Key Management for more info).

11.If you just press Enter (effectively saying 'no' to the PED PIN option), then the secret generated by the HSM is imprinted on the PED key, that same secret is retained as-is on the HSM, and the same secret becomes the piece needed to unlock the Security Officer/HSM Admin account on the HSM.

12.If you press some digits on the PED keypad (saying 'yes' to the PED PIN option), then the PED combines the HSM-generated secret with your PED PIN and feeds the combined data blob to the HSM. The HSM throws away the original secret and takes on the new, combined secret as its SO/HSM Admin secret.

13.The PED key contains the original HSM-generated secret, but also contains the flag that tells the PED whether to demand a PED PIN (which is either no digits, or a set of digits that you supplied, and must supply at all future uses of that PED key).

14.Luna PED gives you the option to create some duplicates of this imprinted key. You should make at least one duplicate for backup purposes. Make additional duplicates if your security policy permits, and your procedures require them.

15.Next, Luna PED requests a red Domain PED key. The HSM provides a cloning Domain secret and the PED gives you the option to imprint the secret from the HSM, or to use a domain that might already be on the key. You choose appropriately. If you are imprinting a new Domain secret, you have the same opportunities to split the secret, and to apply a PED PIN "modifier" to the secret. Again, you are given the option to create duplicates of the key.

16.At this point, the HSM is initialized and Luna PED passes control back to LunaCM.

Further actions are needed to prepare for use by your Clients, but you can now log in as SO/HSM Admin and perform HSM administrative actions.

Imprinting the Blue HSM SO PED Key

1.Decide if you want to reuse a keyset.


If you say No (on the PED keypad), then you are indicating there is nothing of value on your PED keys to preserve, or you are using blank keys.

If you say Yes, you indicate that you have a PED key (or set of PED keys) from another HSM and you wish your current/new HSM to share the authentication with that other HSM. Authentication will be read from the PED key that you present and imprinted onto the current HSM.

2.Set MofN.


Setting M and N to 1 means that the role authentication is not to be split, and only a single PED key will be necessary when the authentication is called for in future. Input 1 for each prompt if you do not want to use MofN.

Setting M and N to larger than 1 sets a quorum requirement for the role, which means that the authentication is split into N different splits, of which quantity M of them (the quorum) must be presented each time you are required to authenticate. MofN allows you to enforce multi-person access control - no single person can access the HSM without cooperation of a quorum of other holders.

3.Insert your blank key or the key you wish to overwrite.


Insert a blue HSM Admin/SO PED key and press Enter.

Yes: If the PED should overwrite the PED key with a new SO authentication.
If you overwrite a PED key that contains authentication secret for another HSM, then this PED key will no longer be able to access the other HSM, only the new HSM that you are currently initializing with a new, unique authentication secret .

No: If you have changed your mind or inserted the wrong PED key.

4.For any situation other than reusing a keyset, Luna PED now prompts for you to set a PED PIN. For multi-factor authentication security, the physical PED key is "something you have." You can choose to associate that with "something you know," in the form of a multi-digit PIN code that must always be supplied along with the PED key for all future HSM access attempts.


Type a numeric password on the PED keypad, if you wish. Otherwise, just press Enter twice to indicate that no PED PIN is desired.

5.Decide if you want to duplicate your keyset.


Yes: Present one or more blank keys, all of which will be imprinted with exact copies of the current PED key's authentication.

No: Do not make any copies.

NOTE   You should always have backups of your imprinted PED keys, to guard against loss or damage.

Imprinting the Red Cloning Domain PED Key

To begin imprinting a Cloning Domain (red PED key), you must first log into the HSM. Insert your blue SO PED key.

1.Decide if you want to reuse a keyset.


No: If this is your first Luna HSM, or if this HSM will not be cloning objects with other HSMs that are already initialized

Yes: If you have another HSM and wish that HSM and the current HSM to share their cloning Domain.

2.Set MofN.

Setting M and N to 1 means that the domain authentication is not to be split, and only a single PED key will be necessary when the authentication is called for in future. Input 1 for each prompt if you do not want to use MofN.

Setting M and N to larger than 1 sets a quorum requirement for the domain, which means that the authentication is split into N different splits, of which quantity M of them (the quorum) must be presented each time you are required to provide the domain. MofN allows you to enforce multi-person access control - no single person can access the HSM without cooperation of a quorum of other holders.    

3.Insert your blank key or the key you wish to overwrite.

4.Optionally set a PED PIN.

5.Decide if you want to duplicate your keyset.

Once you stop duplicating the Domain key, or you indicate that you do not wish to make any duplicates, Luna PED goes back to "Awaiting command...". LunaSH says:

Command Result : No Error
New, reuse, and overwrite options

The table below summarizes the steps involving Luna PED immediately after you invoke the command hsm init. The steps in the table are in the order in which they appear as PED prompts, descending down the column.

The first column is the simplest, and most like what you would encounter the very first time you initialize, using "fresh from the carton" PED keys.  

The next two columns of the table show some differences if you are using previously-imprinted PED keys, choosing either to reuse what is found on the key (imprint it on your new HSM - see Shared PED Key Secrets) or, to overwrite what is found and generate a new secret to be imprinted on both the PED key and the HSM.

New PED Keys Existing PED Keys (Reuse)
Existing PED Keys (Overwrite)

SLOT 01
SETTING SO PIN...
Would you like to reuse an existing keyset? (Y/N)

No

SLOT 01
SETTING SO PIN...
Would you like to reuse an existing keyset? (Y/N)

Yes

SLOT 01
SETTING SO PIN...
Would you like to reuse an existing keyset? (Y/N)

No

SLOT 01
SETTING SO PIN...
Insert a SO / HSM Admin PED Key
Press ENTER.

SLOT 01
SETTING SO PIN...
Insert a SO / HSM Admin PED Key
Press ENTER.
Slot 01
SETTING SO PIN...
Insert a SO / HSM Admin PED Key
Press ENTER.

This PED Key is blank.
Overwrite? (YES/NO)

Yes

****Warning!****
This PED Key is for SO / HSM Admin
Overwrite? (YES/NO)

No

****Warning!****
This PED Key is for SO / HSM Admin
Overwrite? (YES/NO)

Yes

Enter a new PED PIN

Confirm new PED PIN

>Press Enter for no PED PIN
OR

>Input 4-16 digits on the PED keypad and press Enter

Enter a new PED PIN

Confirm new PED PIN

>Press Enter for no PED PIN
OR

>Input 4-16 digits on the PED keypad and press Enter 

Enter a new PED PIN

Confirm new PED PIN

>Press Enter for no PED PIN
OR

>Input 4-16 digits on the PED keypad and press Enter 

Are you duplicating this keyset? YES/NO

>Yes: duplicate. This option can be looped for as many duplicates as you need

>No: do not duplicate

Are you duplicating this keyset? YES/NO

>Yes: duplicate. This option can be looped for as many duplicates as you need

>No: do not duplicate

Are you duplicating this keyset? YES/NO

>Yes: duplicate. This option can be looped for as many duplicates as you need

>No: do not duplicate

Login SO / HSM Admin...
Insert a SO/ HSM Admin PED Key
Press ENTER
Login SO / HSM Admin..
Insert a SO/ HSM Admin PED Key
Press ENTER
Login SO / HSM Admin..
Insert a SO/ HSM Admin PED Key
Press ENTER

SETTING DOMAIN...
Would you like to reuse an existing keyset? (Y/N)

>Yes (unless you have good reason to create a new domain)

SETTING DOMAIN...
Would you like to reuse an existing keyset? (Y/N)

>Yes: make this HSM part of an existing domain

>No: create a new domain for this HSM

SETTING DOMAIN...
Would you like to reuse an existing keyset? (Y/N)

>Yes: make this HSM part of an existing domain

>No: create a new domain for this HSM

Password-authenticated HSM Initialization Example

lunash:>hsm init -label myLunaHSM

  Please enter a password for the HSM Administrator:
  > ********

  Please re-enter password to confirm:
  > ********

  Please enter a cloning domain to use for initializing this HSM:
  > *********

  Please re-enter cloning domain to confirm:
  > *********

CAUTION:  Are you sure you wish to initialize this HSM?

          Type 'proceed' to initialize the HSM, or 'quit'
          to quit now.
          > proceed

'hsm init' successful.

Command Result : 0 (Success)
lunacm:>hsm init -label myLunaHSM

        You are about to initialize the HSM.
        All contents of the HSM will be destroyed.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now ->proceed

        Enter password for SO: ********

        Re-enter password for SO: ********

        Option -domain was not specified.  It is required.

        Enter the domain name: *********

        Re-enter the domain name: *********

Command Result : No Error

When activity is complete, the system displays a “success” message.