HSM Capabilities and Policies

The HSM can be configured to suit the cryptographic needs of your organization. Configurable functions are governed by the following settings:

>HSM Capabilities are features of HSM functionality, set at manufacture based on the HSM model you selected at time of purchase. You can add new capabilities to the HSM by purchasing and applying capability licenses from Thales (see Upgrading HSM Capabilities). Some capabilities have corresponding modifiable HSM policies.

>HSM Policies are configurable settings that allow the HSM Security Officer to modify the function of their corresponding capabilities. Some policies affect HSM-wide functionality, and others allow further customization of individual partitions by the Partition Security Officer.

The table below describes all Luna PCIe HSM capabilities, their corresponding policies, and the results of changing their settings. This section contains the following procedures:

>Setting HSM Policies Manually

>Setting HSM Policies Using a Template

To zeroize the HSM and revert policies to their default values, see Resetting the Luna PCIe HSM to Factory Condition.

To zeroize the HSM and keep the existing policy settings, use lunacm:> hsm zeroize

Destructive Policies

Some policies affect the security of the HSM. As a security measure, changing these policies results in application partitions or the entire HSM being zeroized. These policies are listed below as destructive.

#	HSM Capability	HSM Policy
0	Enable PIN-based authentication > 1: The HSM authenticates all users with keyboard-entered passwords. > 0: See HSM capability 1 below.	N/A
1	Enable PED-based authentication > 1: The HSM authenticates users with secrets stored on physical PED keys, read by a Luna PED. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret. > 0: See HSM capability 0 above.	N/A
2	Performance level Numerical value indicates the HSM's performance level, determined by the model you selected at time of purchase: >4: Standard performance >8: Enterprise performance >15: Maximum performance	N/A
4	Enable domestic mechanisms & key sizes Always 1. All Luna PCIe HSMs are capable of full-strength cryptography with no US export restrictions.	N/A
6	Enable masking Always 0 for HSMs with pre-7.7.0 firmware. SKS (which uses masking) was not available on Luna PCIe HSMs before version 7.7.0. 1 for Luna PCIe HSMs at firmware 7.7.0 and later, to support SKS.	If this policy is allowed, see partition policies 3 and 7 in Partition Capabilities and Policies.
7	Enable cloning Always 1. All current Luna PCIe HSMs can clone cryptographic objects from one partition to another.	Allow cloning (Destructive) >1 (default): The HSM may clone cryptographic objects from one partition to another. This is required to back up partitions or include them in HA groups. Partition SOs can enable/disable cloning on individual partitions. >0: No partition on the HSM may clone cryptographic objects. Partition SOs cannot change this.
9	Enable full (non-backup) functionality > 1: The HSM is capable of full cryptographic functions. > 0: The HSM is capable of backup functions only (disallowed on Luna Backup HSMs only).	N/A
12	Enable non-FIPS algorithms Always 1. The HSM can use all cryptographic algorithms described in Supported Mechanisms.	Allow non-FIPS algorithms (Destructive) * >1 (default): The HSM may use all available cryptographic algorithms, meaning all the FIPS-approved algorithms as well as all the non-FIPS algorithms. >0: Only algorithms sanctioned by the FIPS 140-2 standard are permitted. The following is displayed in the output from lunacm:> hsm showinfo: The HSM is in FIPS 140-2 approved operation mode. NOTE When C_GetMechanismInfo is called and the HSM policy “Allow NonFIPS Algorithms” is disabled: 1) If a mechanism has the WRAP flag set and MPE_NO_WRAP, the WRAP flag is not returned by the HSM as part of the mechanism info. 2) If a mechanism has the SIGN flag set and MPE_NO_SIGN, the SIGN flag is not returned by the HSM as part of the mechanism info. When the policy is enabled, the HSM returns all the flags that are applicable to the requested mechanism.
15	Enable SO reset of partition PIN Always 1. This capability enables: >the Partition SO to reset the password or PED secret of the Crypto Officer. >the Crypto Officer to reset the password or PED secret of the Crypto User.	SO can reset partition PIN (Destructive) >1: Partition SO may reset the password or PED secret of a Crypto Officer who has been locked out after too many failed login attempts. >0 (default): The CO lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device. See Resetting the Crypto Officer , Limited Crypto Officer, or Crypto User Credential.
16	Enable network replication Always 1. This capability enables cloning of cryptographic objects over a network. This is required for HA groups, and for partition backup to a remote Luna Backup HSM.	Allow network replication >1 (default): Cloning of cryptographic objects is permitted over a network. Remote backup is allowed, and the partition may be used in an HA group. >0: Cloning over a network is not permitted. Partition backup is possible to a locally-connected Luna Backup HSM only.
17	Enable Korean Algorithms > 1: if you have purchased and applied a license for the Korea-specific algorithm set. See Upgrading HSM Capabilities to purchase this capability. > 0 if you have not applied this license.	N/A
18	FIPS evaluated Always 0 - deprecated capability. All Luna PCIe HSMs are capable of operating in FIPS Mode. NOTE This capability is visible (not used) in previous HSM firmware versions, but is removed from version 7.7.0 onward.	N/A
19	Manufacturing Token Always 0. For Thales internal use only.	N/A
21	Enable forcing user PIN change Always 1. This capability forces the Crypto Officer or Crypto User to change the initial role credential created by the Partition SO.	Force user PIN change after set/reset >1 (default): After the Partition SO initializes or resets the Crypto Officer credential, the CO must change the credential before any other actions are permitted. This also applies when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition. >0: The CO/CU may continue to use the credential assigned by the Partition SO. See Changing a Role Credential.
22	Enable offboard storage Always 1, but SIM is not supported on this version of Luna PCIe HSM.	Allow offboard storage (Destructive) Deprecated policy. On previous HSMs, this policy allowed or disallowed the use of the portable SIM key. Default: 1
23	Enable partition groups Always 0 - deprecated capability.	N/A
25	Enable Remote PED usage Always 1 on PED-authenticated HSMs. Always 0 on password-authenticated HSMs.	Allow Remote PED usage >1 (default): The HSM may authenticate roles using a remotely-located PED server or a locally-installed PED. >0: The HSM must use a locally-installed PED to authenticate roles.
27	HSM non-volatile storage space Displays the maximum non-volatile storage space (in bytes) on the HSM, determined by the Luna PCIe HSM model you selected at time of purchase.	N/A
30	Enable Unmasking Always 1. This capability enables migration from legacy Luna HSMs that used SIM.	Allow unmasking >1 (default): Cryptographic objects may be migrated from legacy Luna HSMs that used SIM. >0: Migration from legacy HSMs using SIM is not possible.
33	Maximum number of partitions Displays the maximum number of application partitions that can be created on the HSM.	Current maximum number of partitions You can change HSM policy 33 to lower the effective maximum number of partitions below the actual licensed maximum. You cannot, however, lower the maximum below the number of partitions currently existing on the HSM.
35	Enable Single Domain Always 0. Not applicable to Luna PCIe HSM.	N/A
36	Enable Unified PED Key Always 0. Not applicable to Luna PCIe HSM.	N/A
37	Enable MofN Always 1 on PED-authenticated HSMs. Always 0 on password-authenticated HSMs.	Allow MofN >1 (default): During PED key creation, you have the option to require a quorum to authenticate the role, by splitting the PED secret among multiple PED keys (see M of N Split Secrets (Quorum)) >0: Users do not have the option to split PED secrets (M and N are automatically set to 1).
38	Enable small form factor backup/restore Always 0. Not available in this release.	N/A
39	Enable Secure Trusted Channel Always 1. Not applicable to HSMs at firmware 7.7.0 or newer, where STC is always enabled and is optional to use in any application partition, unless Partition Policy 37 is set to make STC mandatory for that partition.	Allow Secure Trusted Channel Secure Trusted Channel is a Network HSM feature, and has no function on Luna PCIe HSM. Thales does not recommend turning this policy on at any time.
40	Enable decommission on tamper Always 1. This enables the HSM to be automatically decommissioned if a tamper event occurs (see Comparing Zeroize, Decommission, and Factory Reset).	Decommission on tamper (Destructive) >1: The HSM is decommissioned if a tamper event occurs (see Tamper Events). >0 (default): The contents of the HSM are not affected by a tamper event.
42	Enable partition re-initialize Always 0. Not applicable to Luna PCIe HSM. This capability and any associated feature and command(s) are applicable only to the Luna IS product, which shares some common code. No such feature has been tested on Luna PCIe HSM.	N/A
43	Enable low level math acceleration Always 1. This capability enables acceleration of cryptographic functionality for maximum HSM performance.	Allow low-level math acceleration >1 (default): Provides maximum HSM performance. >0: Do not turn this policy off unless instructed by Thales Technical Support.
46	Allow Disabling Decommission Always 1. This capability enables the HSM SO to disable the decommission jumper header on the HSM.	Disable Decommission (Destructive) >1: The decommission jumper header is disabled, preventing decommissioning of the HSM. >0 (default): Decommission works as described in Decommissioning the HSM Card. CAUTION! Changing this policy will destroy partitions on the HSM, and they must be recreated. If HSM policy 40 is enabled, you cannot enable this policy (fails with error: CKR_CONFIG_FAILS_DEPENDENCIES). However, attempting to enable it will still destroy HSM partitions.
47	Enable Tunnel Slot Always 0. Not available in this release.	N/A
48	Enable Controlled Tamper Recovery Always 1. This capability enables the HSM SO to require tamper events to be explicitly cleared before normal operations can resume.	Do Controlled Tamper Recovery >1 (default): After a tamper event, the HSM SO must explicitly clear the tamper before the HSM can resume normal operations. >0: The HSM must be restarted before it can resume normal operations. See Tamper Events for more information.
49	Enable Partition Utilization Metrics Always 1. This capability enables the HSM SO to view (or export to a named file) counters that record how many times specific cryptographic operations have been performed in application partitions since the last counter-reset event. This provides a picture of operational utilization that can be used to guide the (re-)allocation and balancing of partitions and applications, for better service to all users of your partitions.	Allow Partition Utilization Metrics >1: The HSM SO can view Partition Utilization Metrics. >0 (default): Partition Utilization Metrics are not available. See Partition Utilization Metrics for more information.
50	Enable Functionality Modules This capability enables Functionality Modules (FMs) to be loaded to the HSM (see Functionality Modules). > 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs). > 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license. Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.	Allow Functionality Modules (Destructive) >1: With this policy enabled, Functionality Modules may be loaded to the HSM, permitting custom cryptographic operations. Allows use of the ctfm utility and FM-related commands, and the use of Functionality Modules in general with this HSM. NOTE FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware. FIPS 140 validation is performed against the HSM hardware with a specific firmware version. Since the introduction of a Functionality Module changes the firmware, allowing FMs in the HSM removes the HSM from FIPS compliance. For purposes of cloning, an HSM where FMs have ever been allowed is considered less secure than one where FMs have never been allowed. See the Caution below. You can subsequently disable FMs, but future cloning operations will work only with other FM-HOC HSMs. >0 (default): FMs may not be loaded to the HSM. CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling. If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.
51	Enable SMFS Auto Activation This capability enables the Secure Memory File System (SMFS) to be activated automatically on startup. > 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs). > 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license. Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.	Allow SMFS Auto Activation (Destructive) >1: With this policy enabled, the Secure Memory File System (SMFS) is automatically activated on startup, providing a secure, tamper-enabled location in the HSM memory where Functionality Modules can load keys and parameters. Auto-activation for SMFS, like auto-activation for PED-authenticated partitions in general, persists through a power outage of up to 2 hours duration. >0 (default): If disabled, the HSM SO must manually activate the SMFS each time the HSM reboots or loses power.
52	Allow Restricting FM Privilege Level This capability enables the HSM SO to restrict the sensitive key attributes of partition objects from FMs. > 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs). > 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license. Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.	Restrict FM Privilege Level (Destructive) >1: FM privilege is restricted. >0 (default): FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).
53	Allow Encrypting of Keys from FM to HSM This capability enables key encryption between the FM and the Functionality Module Crypto Engine interface (FMCE). > 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs). > 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license. Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.	Encrypt Keys Passing from FM to HSM (Destructive) >1: With this policy enabled, keys created by an FM are encrypted before crossing from the FM to the Functionality Module Crypto Engine interface (FMCE). This internal encryption may be required to satisfy some certification requirements (such as Common Criteria). >0 (default): Keys are not encrypted before crossing to the FMCE.
55	Enable Restricted Restore This capability allows the HSM SO to restrict a Luna Backup HSM (G7) from being used with Luna firmware older than 7.7.0, for any purpose other than to migrate cryptographic objects to Luna HSM firmware 7.7.0 or newer. See What are "pre-firmware 7.7.0", and V0, and V1 partitions? for more information. Appears on Luna G7 Backup HSM running firmware 7.7.1 or newer.	Enable Restricted Restore (ON-to-OFF Destructive) >1: Objects backed up from pre-7.7.0 firmware partitions can only be restored to V0 or V1 partitions (Luna HSM firmware 7.7.0 or newer). Enable this policy to ensure FIPS compliance. >0 (default): Objects backed up from pre-7.7.0 firmware partitions can be restored to pre-7.7.0 firmware partitions. Do not use this setting if you require FIPS compliance. NOTE FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware. Since Luna Backup HSM (G7) firmware 7.7.1 and newer uses the same (more secure) cloning protocol as Luna V0/V1 partitions, this restriction applies to objects being restored to older Luna firmware, even if they were backed up from that same older firmware.

HSM Capability

HSM Policy

Enable PIN-based authentication

> 1: The HSM authenticates all users with keyboard-entered passwords.

> 0: See HSM capability 1 below.

N/A

Enable PED-based authentication

> 1: The HSM authenticates users with secrets stored on physical PED keys, read by a Luna PED. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret.

> 0: See HSM capability 0 above.

N/A

Performance level

Numerical value indicates the HSM's performance level, determined by the model you selected at time of purchase:

>4: Standard performance

>8: Enterprise performance

>15: Maximum performance

N/A

Enable domestic mechanisms & key sizes

Always 1. All Luna PCIe HSMs are capable of full-strength cryptography with no US export restrictions.

N/A

Enable masking

Always 0 for HSMs with pre-7.7.0 firmware. SKS (which uses masking) was not available on Luna PCIe HSMs before version 7.7.0.

1 for Luna PCIe HSMs at firmware 7.7.0 and later, to support SKS.

If this policy is allowed, see partition policies 3 and 7 in Partition Capabilities and Policies.

Enable cloning

Always 1. All current Luna PCIe HSMs can clone cryptographic objects from one partition to another.

Allow cloning (Destructive)

>1 (default): The HSM may clone cryptographic objects from one partition to another. This is required to back up partitions or include them in HA groups. Partition SOs can enable/disable cloning on individual partitions.

>0: No partition on the HSM may clone cryptographic objects. Partition SOs cannot change this.

Enable full (non-backup) functionality

> 1: The HSM is capable of full cryptographic functions.

> 0: The HSM is capable of backup functions only (disallowed on Luna Backup HSMs only).

N/A

Enable non-FIPS algorithms

Always 1. The HSM can use all cryptographic algorithms described in Supported Mechanisms.

Allow non-FIPS algorithms (Destructive) *

>1 (default): The HSM may use all available cryptographic algorithms, meaning all the FIPS-approved algorithms as well as all the non-FIPS algorithms.

>0: Only algorithms sanctioned by the FIPS 140-2 standard are permitted. The following is displayed in the output from lunacm:> hsm showinfo:

The HSM is in FIPS 140-2 approved operation mode.

NOTE When C_GetMechanismInfo is called and the HSM policy “Allow NonFIPS Algorithms” is disabled:

1) If a mechanism has the WRAP flag set and MPE_NO_WRAP, the WRAP flag is not returned by the HSM as part of the mechanism info.

2) If a mechanism has the SIGN flag set and MPE_NO_SIGN, the SIGN flag is not returned by the HSM as part of the mechanism info.

When the policy is enabled, the HSM returns all the flags that are applicable to the requested mechanism.

Enable SO reset of partition PIN

Always 1. This capability enables:

>the Partition SO to reset the password or PED secret of the Crypto Officer.

>the Crypto Officer to reset the password or PED secret of the Crypto User.

SO can reset partition PIN (Destructive)

>1: Partition SO may reset the password or PED secret of a Crypto Officer who has been locked out after too many failed login attempts.

>0 (default): The CO lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device.

See Resetting the Crypto Officer , Limited Crypto Officer, or Crypto User Credential.

Enable network replication

Always 1. This capability enables cloning of cryptographic objects over a network. This is required for HA groups, and for partition backup to a remote Luna Backup HSM.

Allow network replication

>1 (default): Cloning of cryptographic objects is permitted over a network. Remote backup is allowed, and the partition may be used in an HA group.

>0: Cloning over a network is not permitted. Partition backup is possible to a locally-connected Luna Backup HSM only.

Enable Korean Algorithms

> 1: if you have purchased and applied a license for the Korea-specific algorithm set. See Upgrading HSM Capabilities to purchase this capability.

> 0 if you have not applied this license.

N/A

FIPS evaluated

Always 0 - deprecated capability. All Luna PCIe HSMs are capable of operating in FIPS Mode.

NOTE This capability is visible (not used) in previous HSM firmware versions, but is removed from version 7.7.0 onward.

N/A

Manufacturing Token

Always 0. For Thales internal use only.

N/A

Enable forcing user PIN change

Always 1. This capability forces the Crypto Officer or Crypto User to change the initial role credential created by the Partition SO.

Force user PIN change after set/reset

>1 (default): After the Partition SO initializes or resets the Crypto Officer credential, the CO must change the credential before any other actions are permitted. This also applies when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition.

>0: The CO/CU may continue to use the credential assigned by the Partition SO.

See Changing a Role Credential.

Enable offboard storage

Always 1, but SIM is not supported on this version of Luna PCIe HSM.

Allow offboard storage (Destructive)

Deprecated policy. On previous HSMs, this policy allowed or disallowed the use of the portable SIM key.

Default: 1

Enable partition groups

Always 0 - deprecated capability.

N/A

Enable Remote PED usage

Always 1 on PED-authenticated HSMs.

Always 0 on password-authenticated HSMs.

Allow Remote PED usage

>1 (default): The HSM may authenticate roles using a remotely-located PED server or a locally-installed PED.

>0: The HSM must use a locally-installed PED to authenticate roles.

HSM non-volatile storage space

Displays the maximum non-volatile storage space (in bytes) on the HSM, determined by the Luna PCIe HSM model you selected at time of purchase.

N/A

Enable Unmasking

Always 1. This capability enables migration from legacy Luna HSMs that used SIM.

Allow unmasking

>1 (default): Cryptographic objects may be migrated from legacy Luna HSMs that used SIM.

>0: Migration from legacy HSMs using SIM is not possible.

Maximum number of partitions

Displays the maximum number of application partitions that can be created on the HSM.

Current maximum number of partitions

You can change HSM policy 33 to lower the effective maximum number of partitions below the actual licensed maximum. You cannot, however, lower the maximum below the number of partitions currently existing on the HSM.

Enable Single Domain

Always 0. Not applicable to Luna PCIe HSM.

N/A

Enable Unified PED Key

Always 0. Not applicable to Luna PCIe HSM.

N/A

Enable MofN

Always 1 on PED-authenticated HSMs. Always 0 on password-authenticated HSMs.

Allow MofN

>1 (default): During PED key creation, you have the option to require a quorum to authenticate the role, by splitting the PED secret among multiple PED keys (see M of N Split Secrets (Quorum))

>0: Users do not have the option to split PED secrets (M and N are automatically set to 1).

Enable small form factor backup/restore

Always 0. Not available in this release.

N/A

Enable Secure Trusted Channel

Always 1.

Not applicable to HSMs at firmware 7.7.0 or newer, where STC is always enabled and is optional to use in any application partition, unless Partition Policy 37 is set to make STC mandatory for that partition.

Allow Secure Trusted Channel

Secure Trusted Channel is a Network HSM feature, and has no function on Luna PCIe HSM. Thales does not recommend turning this policy on at any time.

Enable decommission on tamper

Always 1. This enables the HSM to be automatically decommissioned if a tamper event occurs (see Comparing Zeroize, Decommission, and Factory Reset).

Decommission on tamper (Destructive)

>1: The HSM is decommissioned if a tamper event occurs (see Tamper Events).

>0 (default): The contents of the HSM are not affected by a tamper event.

Enable partition re-initialize

Always 0. Not applicable to Luna PCIe HSM. This capability and any associated feature and command(s) are applicable only to the Luna IS product, which shares some common code. No such feature has been tested on Luna PCIe HSM.

N/A

Enable low level math acceleration

Always 1. This capability enables acceleration of cryptographic functionality for maximum HSM performance.

Allow low-level math acceleration

>1 (default): Provides maximum HSM performance.

>0: Do not turn this policy off unless instructed by Thales Technical Support.

Allow Disabling Decommission

Always 1. This capability enables the HSM SO to disable the decommission jumper header on the HSM.

Disable Decommission (Destructive)

>1: The decommission jumper header is disabled, preventing decommissioning of the HSM.

>0 (default): Decommission works as described in Decommissioning the HSM Card.

CAUTION! Changing this policy will destroy partitions on the HSM, and they must be recreated. If HSM policy 40 is enabled, you cannot enable this policy (fails with error: CKR_CONFIG_FAILS_DEPENDENCIES). However, attempting to enable it will still destroy HSM partitions.

Enable Tunnel Slot

Always 0. Not available in this release.

N/A

Enable Controlled Tamper Recovery

Always 1. This capability enables the HSM SO to require tamper events to be explicitly cleared before normal operations can resume.

Do Controlled Tamper Recovery

>1 (default): After a tamper event, the HSM SO must explicitly clear the tamper before the HSM can resume normal operations.

>0: The HSM must be restarted before it can resume normal operations.

See Tamper Events for more information.

Enable Partition Utilization Metrics

Always 1. This capability enables the HSM SO to view (or export to a named file) counters that record how many times specific cryptographic operations have been performed in application partitions since the last counter-reset event. This provides a picture of operational utilization that can be used to guide the (re-)allocation and balancing of partitions and applications, for better service to all users of your partitions.

Allow Partition Utilization Metrics

>1: The HSM SO can view Partition Utilization Metrics.

>0 (default): Partition Utilization Metrics are not available.

See Partition Utilization Metrics for more information.

Enable Functionality Modules

This capability enables Functionality Modules (FMs) to be loaded to the HSM (see Functionality Modules).

> 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs).

> 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license.

Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.

Allow Functionality Modules (Destructive)

>1: With this policy enabled, Functionality Modules may be loaded to the HSM, permitting custom cryptographic operations. Allows use of the ctfm utility and FM-related commands, and the use of Functionality Modules in general with this HSM.

NOTE FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware. FIPS 140 validation is performed against the HSM hardware with a specific firmware version.

Since the introduction of a Functionality Module changes the firmware, allowing FMs in the HSM removes the HSM from FIPS compliance.

For purposes of cloning, an HSM where FMs have ever been allowed is considered less secure than one where FMs have never been allowed. See the Caution below.

You can subsequently disable FMs, but future cloning operations will work only with other FM-HOC HSMs.

>0 (default): FMs may not be loaded to the HSM.

CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling.

If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.

Enable SMFS Auto Activation

This capability enables the Secure Memory File System (SMFS) to be activated automatically on startup.

> 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs).

> 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license.

Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.

Allow SMFS Auto Activation (Destructive)

>1: With this policy enabled, the Secure Memory File System (SMFS) is automatically activated on startup, providing a secure, tamper-enabled location in the HSM memory where Functionality Modules can load keys and parameters. Auto-activation for SMFS, like auto-activation for PED-authenticated partitions in general, persists through a power outage of up to 2 hours duration.

>0 (default): If disabled, the HSM SO must manually activate the SMFS each time the HSM reboots or loses power.

Allow Restricting FM Privilege Level

This capability enables the HSM SO to restrict the sensitive key attributes of partition objects from FMs.

> 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs).

> 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license.

Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.

Restrict FM Privilege Level (Destructive)

>1: FM privilege is restricted.

>0 (default): FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).

Allow Encrypting of Keys from FM to HSM

This capability enables key encryption between the FM and the Functionality Module Crypto Engine interface (FMCE).

> 1 on FM-ready HSMs running firmware 7.4 or higher, with the FM capability license installed (see Preparing the Luna PCIe HSM to Use FMs).

> 0 on FM-ready HSMs running firmware 7.4 or higher without the FM capability license.

Does not appear on HSMs that are not FM-ready or are running firmware older than 7.4.

Encrypt Keys Passing from FM to HSM (Destructive)

>1: With this policy enabled, keys created by an FM are encrypted before crossing from the FM to the Functionality Module Crypto Engine interface (FMCE). This internal encryption may be required to satisfy some certification requirements (such as Common Criteria).

>0 (default): Keys are not encrypted before crossing to the FMCE.

Enable Restricted Restore

This capability allows the HSM SO to restrict a Luna Backup HSM (G7) from being used with Luna firmware older than 7.7.0, for any purpose other than to migrate cryptographic objects to Luna HSM firmware 7.7.0 or newer. See What are "pre-firmware 7.7.0", and V0, and V1 partitions? for more information.

Appears on Luna G7 Backup HSM running firmware 7.7.1 or newer.

Enable Restricted Restore (ON-to-OFF Destructive)

>1: Objects backed up from pre-7.7.0 firmware partitions can only be restored to V0 or V1 partitions (Luna HSM firmware 7.7.0 or newer). Enable this policy to ensure FIPS compliance.

>0 (default): Objects backed up from pre-7.7.0 firmware partitions can be restored to pre-7.7.0 firmware partitions. Do not use this setting if you require FIPS compliance.

NOTE FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware. Since Luna Backup HSM (G7) firmware 7.7.1 and newer uses the same (more secure) cloning protocol as Luna V0/V1 partitions, this restriction applies to objects being restored to older Luna firmware, even if they were backed up from that same older firmware.

* The Backup HSM performs only backup and restore operations and is not a general-purpose HSM. It has no information about the origin of keys or objects. In the case of FIPS-mode or non-FIPS the status of a source HSM (Policy 12) is not noticed, and a target HSM decides what to do with keys from a restore operation. However, the actions of a Backup HSM can be affected by the cloning protocol that is used - see Policy 55