Creating PED keys

When you initialize an HSM, partition, or role, the Luna PED issues a series of prompts for you to follow to create your PED keys. PED key actions have a timeout setting (default: 200 seconds); ensure that you have everything you need before issuing an initialization command. The requirements for the operation depend on the PED key scheme you have chosen in advance, based on your organization's security policy. Consider these guidelines before you begin:

>If you are reusing an existing PED key or keyset, the owners of those keys must be present with their keys and PINs ready.

>If you plan to use an M of N authentication scheme (quorum, or split-secret), all the parties involved must be present and ready to create their authentication split (the initial setup of the quorum and spares). It is advisable for each key holder to create backup duplicates, so you must have a sufficient number of blank or rewritable PED keys ready before you begin.

>If you plan to make backup duplicates of PED keys, you must have a sufficient number of blank or rewritable PED keys ready.

>If you plan to use PINs, ensure that they can be privately entered on the Luna PED and memorized, or written down and securely stored.

Whenever the Luna PED prompts you to insert a PED key, use the USB port on the top of the PED:

To initiate PED key creation

1.Issue one of the following LunaSH or LunaCM commands to initialize the applicable role, domain, or vector.

Blue HSM SO and Red HSM Domain PED key:

lunash:> hsm init

Orange Remote PED Vector PED key:

lunash:> hsm ped vector init

Blue Partition SO and Red Partition Domain PED keys:

lunacm:> partition init

Black Crypto Officer PED key:

lunacm:> role init -name co

Gray Crypto User PED key:

lunacm:> role init -name cu

White Audit User PED key:

lunash:> audit init

The Luna PED responds, displaying:

NOTE   The Luna PED screen prompts for a black PED key for any of

>"User",

>"Crypto Officer",

>"Limited Crypto Officer",

>"Crypto User".

The Luna PED is not aware that the key you present has a black or a gray sticker on it. The colored stickers are visual identifiers for your convenience in keeping track of your PED keys. You differentiate by how you label, and how you use, a given physical key that the Luna PED sees as "black" (once it has been imprinted with a secret).

2.Follow the PED prompts in the following four stages.

Stage 1: Reusing Existing PED keys

If you want to use a PED key with an existing authentication secret, have the key ready to present to the Luna PED. Reasons for reusing keys may include:

>You want to use the same blue SO key to authenticate multiple HSMs/partitions

>You want to initialize a partition in an already-existing cloning domain (to be part of an HA group)

CAUTION!   The initialization procedure is the only opportunity to set the HSM/partition's cloning domain. It cannot be changed later without reinitializing the HSM, or deleting and recreating the partition. Ensure that you have the correct red key(s) ready.

See Shared PED key Secrets and Domain PED keys for more information.

1.The first Luna PED prompt asks if you want to reuse an existing PED key. Press Yes or No on the keypad to continue.

If you select No, skip to Stage 2: Defining M of N.

If you select Yes, the PED prompts you for a key. Insert the key you want to reuse and press Enter.

2.If the key has a PIN, the PED prompts you to enter it now. Enter the PIN on the keypad and press Enter.

3.If the key is part of an M of N scheme, the PED prompts you for the next key. You must present enough key splits (M, a.k.a. the quorum) to reconstitute the entire authentication secret.

4.The PED asks if you want to create a duplicate set of keys. If you are duplicating an M of N keyset, you need a number of blank or rewritable keys equal to N.

If you select No, the process is complete.

If you select Yes, complete Stage 3: Setting a PIN for all the duplicate keys you want.

Stage 2: Defining M of N

If you chose to create a new keyset, the Luna PED prompts you to define the M of N scheme (quorum and pool of splits) for the role, domain, or vector. See Quorum Split Secrets (M of N) for more information. If you do not want to use M of N (authentication by one PED key), enter a value of 1 for both M and N. Effectively, you have set a "quorum" of one key-holder.

1.The PED prompts you to enter a value for M (the minimum number of split-secret keys required to authenticate the role, domain, or vector - the quorum). Set a value for M by entering it on the keypad and pressing Enter. If you are not using an M of N scheme, enter "1".

2. The PED prompts you to enter a value for N -- the total number of split-secret keys you want to create (the pool of splits from which a quorum will be drawn). Set a value for N by entering it on the keypad and pressing Enter. If you are not using an M of N scheme, enter "1".

3.Continue to Stage 3: Setting a PIN. You must complete stage 3 for each key in the M of N scheme.

Stage 3: Setting a PIN

If you are creating a new key or M of N split, you have the option of setting a PIN that must be entered by the key owner during authentication. PINs must be 4-48 digits long. Do not use 0 for the first digit. See PINs for more information.

CAUTION!   If you forget your PIN, it is the same as losing the PED key entirely; you cannot authenticate the role. See Consequences of Losing PED keys.

1.The PED prompts you to insert a blank or reusable PED key. If you are creating an M of N split, the number of already-created splits is displayed.

2.Insert the PED key and press Enter. The PED prompts for confirmation.

If the PED key you inserted is not blank, you must confirm twice that you want to overwrite it.

3.The PED prompts you for a PIN.

If you want to set a PIN, enter it on the keypad and press Enter. Enter the PIN again to confirm it.

If you do not want to set a PIN, press Enter twice without entering anything on the keypad. You will not be asked to enter a PIN for this key in the future.

4.If there are more keys in the M of N scheme, repeat this stage. Otherwise, continue to Stage 4: Duplicating New PED keys.

Stage 4: Duplicating New PED keys

You now have the option to create duplicates of your newly-created PED key(s). There are two reasons to do this now:

>If you want more than one person to be able to authenticate a role, you can create multiple keys for that role now, with each person being able to set their own PIN. Duplicates you create later are intended as backups, and will have the same PIN (or none) as the key they are copied from.

>In case of key loss or theft.

You can make backups now or later. See also Duplicating Existing PED keys.

1.The next PED prompt asks if you want to create a duplicate keyset (or another duplicate). Press Yes or No on the keypad to continue.

If you select No, the key creation process is complete.

If you select Yes, complete Stage 3: Setting a PIN for the duplicate keyset. You can set the same PIN to create a true copy, or set a different PIN for each duplicate.

2.If you specified an M of N scheme, you are prompted to repeat Stage 3: Setting a PIN for each M of N split. Otherwise, the key creation process is complete.