Scalable Key Storage

This section describes the Scalable Key Storage (SKS) feature for Luna HSMs and assumes the following:

>You understand the differences between V0 and V1 partitions and how these partitions affect the operation of Luna HSM. For more information, refer to Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions.

>You plan on converting a partition from V0 to V1. For more information, refer to Converting Partitions from V0 to V1 or V1 to V0.

You do not need anything on the pages in this section until you convert an existing V0 partition to V1 or create new version one (V1) partitions, which will be using the new cloning protocol and SKS feature.

What is Scalable Key Storage?

SKS is virtually unlimited secure storage and handling of your sensitive keys.

By default, keys have resided in HSM hardware for Luna HSMs. This remains true, by default, with the introduction of Luna HSM Firmware 7.7.0. However, firmware 7.7.0 (and newer) adds key export flexibility to expand the Luna HSM's assurance boundary, to encompass much greater numbers of keys than the internal capacity of an HSM.

Keys secure anywhere, the SKS eIDAS model

Beginning with Luna HSM Firmware 7.7.0, you have the option to use the Scalable Key Storage (SKS) feature by converting or creating a partition as Version 1 (V1). When a partition is created, it is given a unique SKS Master Key (SMK) (See Compare Behavior of Pre-Firmware 7.7, and V0, and V1 Partitions).

SKS is based upon a model where keys generated on the HSM:

>are securely extracted as encrypted SKS objects and

>are inserted back into the HSM, to be temporarily decrypted, when cryptographic operations are to be performed with those keys.

Similarly, when a unique key encrypts data, the data and the key can be stored as an encrypted binary large object (blob) up to 64KB in size, that can be decrypted only within the HSM.

If the HSM is upgraded from an earlier HSM firmware version to Luna HSM Firmware 7.7.0 or newer, then any existing partitions become version zero (V0). Similarly, if you create a new partition on a Luna HSM Firmware 7.7.0 (or newer) HSM, with the default "-version 0" option, it becomes a V0 partition. A V0 partition retains compatibility with older partitions and applications:

> that rely on cloning (secure copying/moving of objects between HSMs or HSM partitions or Backup HSMs, also known as Keys Always in Hardware)

>while benefiting from fixes and security updates that come with the new firmware, but with no access to the newer eIDAS-mandated features.

If you create a new partition in an HSM with Luna HSM Firmware 7.7.0 or newer, and select the V1 option (-version 1), then the new partition is version one (V1) and gets a unique SMK and uses SKS (rather than cloning) to replicate keys for HA or to Backup and Restore. The partition also engages Per Key Authorization and other eIDAS related features, but is incompatible with V0. You can also update a V0 partition to V1 while retaining existing objects (but de-converting, or converting back is not an option).

Here is what you will find in the pages of this section:

>What is Scalable Key Storage?

>When to use SKS

>SKS model

How does SKS work?

Limitation and scalability

>Characteristics of the SKS Implementation

Characteristics and Implementation Notes

Functional Notes

SMK Locations in a Partition

>High Availability and SKS

>Preparing and Administering SKS Partitions

Provisioning SKS

Replicating the SMK to another SKS Partition

Backing up the SMK

Restoring the SMK from Backup

Preparing to use SKS

>Using SKS

Using SKS - options

API

ckdemo example

Java Sample

High Availability

Constraints on SKS HA

Replicating the SMK to all group members

When NOT to address the virtual slot

>SKS Backup and Restore

Constraints on SKS Backup and Restore

Backup the SKS Master Key (SMK)

Restore an SKS Master Key (SMK)

Troubleshooting SKS Backup and Restore

>SMK Rollover

>Migrating Scalable Key Storage (SKS)

Cloning the SKS Master Key (SMK)

SKS Blob Migration