Enabling and Disabling CPv4 Cipher Suites
Cipher suites for Cloning Protocol version 4 (CPv4) are used for cloning to-and-from partitions, if the individual suites are enabled for a partition, and the use of CPv4 is not prevented by CPv1 being active (see Allow CPv1).
NOTE Use of CPv4 requires that the HSM time be set before any cloning operation is attempted that invokes the protocol.
It is recommended to have the host synchronized to a secure ntp or nts server, before synchronizing the HSM time to host time.
Use hsm time commands.
By default, eight CPv4 cipher suites are available and active, and the system negotiates the best/most secure suite for the current cloning operation, based on which suites are available to both the source and target partitions. If you have reason to do so, you can disable some cipher suites, which reduces negotiation time among those that remain enabled. You can also enable desired cloning cipher suites that have been disabled.
To show the current status of enabled and disabled cipher suites
1.Run partition ciphershow command.
lunacm:>partition ciphershow
Cipher ID Cipher Suite Enabled
__________________________________________________________________________________
0 CPv3 RSA-4096-PKCS-SHA2-384 AES-256-GCM Yes
1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM No
2 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 No
AES-256-CTR-HMAC-SHA2-512
3 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 No
AES-256-GCM
4 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 No
AES-256-CTR-HMAC-SHA2-512
5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM No
6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 No
AES-256-CTR-HMAC-SHA3-512
7 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 No
AES-256-GCM
8 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 No
AES-256-CTR-HMAC-SHA3-512
9 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-GCM
10 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
11 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512 AES-256-GCM
12 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512
AES-256-CTR-HMAC-SHA2-512
13 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-GCM
14 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
15 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512 AES-256-GCM
16 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512
AES-256-CTR-HMAC-SHA3-512
The output shown for your partition might vary from the example above. If the output from the command shows only 8 ciphers, you have an older firmware version - update your HSM firmware and client for support of the additional ciphers.
To enable a cipher suite
1.Run the partition cipherenable command with the ID of the cloning cipher suite you want to enable.
lunacm:>partition cipherenable -id 1 CPv4 ECDSA-P521-SHA-512 ECDH-P521-SHA512 AES-256-GCM is now enabled Command Result : No Error
2.Run partition ciphershow command to verify the result.
lunacm:>partition ciphershow
Cipher ID Cipher Suite Enabled
__________________________________________________________________________________
0 CPv3 RSA-4096-PKCS-SHA2-384 AES-256-GCM Yes
1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM Yes
2 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 No
AES-256-CTR-HMAC-SHA2-512
3 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 No
AES-256-GCM
4 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 No
AES-256-CTR-HMAC-SHA2-512
5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM No
6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 No
AES-256-CTR-HMAC-SHA3-512
7 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 No
AES-256-GCM
8 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 No
AES-256-CTR-HMAC-SHA3-512
9 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-GCM
10 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
11 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512 AES-256-GCM
12 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512
AES-256-CTR-HMAC-SHA2-512
13 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-GCM
14 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
15 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512 AES-256-GCM
16 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512
AES-256-CTR-HMAC-SHA3-512
To disable a cipher suite
1.Run the partition cipherdisable command with the ID of the cloning cipher suite you want to disable.
lunacm:>partition cipherdisable -id 0 CPv3 RSA-4096-PKCS-SHA-384 AES-256-GCM is now disabled Command Result : No Error
2.Run the partition ciphershow command to verify the result.
lunacm:>partition ciphershow
Cipher ID Cipher Suite Enabled
__________________________________________________________________________________
0 CPv3 RSA-4096-PKCS-SHA2-384 AES-256-GCM No
1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM Yes
2 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 No
AES-256-CTR-HMAC-SHA2-512
3 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 No
AES-256-GCM
4 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 No
AES-256-CTR-HMAC-SHA2-512
5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM No
6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 No
AES-256-CTR-HMAC-SHA3-512
7 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 No
AES-256-GCM
8 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 No
AES-256-CTR-HMAC-SHA3-512
9 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-GCM
10 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
11 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512 AES-256-GCM
12 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512
AES-256-CTR-HMAC-SHA2-512
13 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-GCM
14 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
15 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512 AES-256-GCM
16 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512
AES-256-CTR-HMAC-SHA3-512
