Changing the PED key Secret

Use the instructions on this page to change/rotate the secrets on any of the indicated PED iKeys.

From time to time, it might be necessary to change the secret associated with a role on an HSM or a partition of an HSM, or a cloning domain secret. Reasons for changing credentials include:

>Regular credential rotation as part of your organization's security policy

>Compromise of a role or secret due to loss or theft of a PED key

>Personnel changes in your organization or changes to individual security clearances

>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)

The procedure for changing a PED key credential depends on the type of key. Procedures for each type are provided below.

CAUTION!   If you are changing a multifactor quorum credential that is shared among multiple HSMs/partitions/roles, always keep at least one copy of the old keyset until the affected HSMs/partitions/roles are all changed to the new credential. When changing multifactor quorum credentials, you must always present the old keyset first; do not overwrite your old PED keys until you have no further need for them.

>Blue HSM SO PED key

>Red HSM Domain PED key

>Orange Remote PED Vector PED key

>Blue Partition SO PED key

>Red Partition Domain PED key

>Black Crypto Officer PED key

>Gray Crypto User PED key

>White Audit User PED key

Blue HSM SO PED key

The HSM SO can use this procedure to change the HSM SO credential.

To change the blue HSM SO PED key credential

1.In LunaCM, set the active slot to the Admin partition and login as HSM SO.

lunacm:> role login -name so

2.Initiate the PED key change.

lunacm:> role changepw -name so

3.You are prompted to present the original blue PED key(s) and then to create a new HSM SO keyset. See Creating PED keys.

Red HSM Domain PED key

It is not possible to change an HSM's cloning domain without factory-resetting the HSM and setting the new cloning domain as part of the standard initialization procedure.

CAUTION!   If you set a different cloning domain for the HSM, you cannot restore the HSM Admin partition from backup.

Orange Remote PED Vector PED key

The HSM SO can use this procedure to change the Remote PED Vector (RPV) for the HSM.

To change the RPV/orange key credential

1.In LunaCM, set the active slot to the Admin partition and login as HSM SO.

lunacm:> role login -name so

2.Initialize the RPV.

lunacm:> ped vector init

You are prompted to create a new Remote PED key. See Creating PED keys.

3.Distribute a copy of the new orange key to the administrator of each Remote PED server.

Blue Partition SO PED key

The Partition SO can use this procedure to change the Partition SO credential.

To change a blue Partition SO PED key credential

1.In LunaCM, log in as Partition SO.

lunacm:> role login -name po

2.Initiate the PED key change.

lunacm:> role changepw -name po

3.You are prompted to present the original blue key(s) and then to create a new Partition SO keyset. See Creating PED keys.

Red Partition Domain PED key

If you are using Luna HSM Firmware 7.7.2 and older, it is not possible to change a partition's cloning domain. A new partition must be created and initialized with the desired domain. The new partition will not have access to any of the original partition's backups. It cannot be made a member of the same HA group as the original.

Using Luna HSM Firmware 7.8.0 and newer, each partition can support up to three different cloning domains, allowing your sensitive keys and objects to remain within the cryptographic perimeter of the HSM while:

>migrating objects from one domain to another

>splitting domains

>rotating or rolling-over or refreshing your partition domain secrets as part of mandated periodic changes of credential/authentication, just as you would with passwords for

appliance administration (including network, logging, ntp. tamper response, etc.)

HSM or partition roles

container/partition administrative access

client access for crypto operations on keys and objects

etc.

To change the domain secret

See Updating or rotating cloning domain secrets.

Black Crypto Officer PED key

The Crypto Officer can use this procedure to change the Crypto Officer credential.

To change a black Crypto Officer PED key credential

1.In LunaCM, log in as Crypto Officer.

lunacm:> role login -name co

2.Initiate the PED key change.

lunacm:> role changepw -name co

3.You are prompted to present the original black key(s) and then to create a new Crypto Officer keyset. See Creating PED keys.

Gray Crypto User PED key

The Crypto User can use this procedure to change the Crypto User credential.

To change a gray Crypto User PED key credential

1.In LunaCM, log in as Crypto User.

lunacm:> role login-name cu

2.Initiate the PED key change.

lunacm:> role changepw -name cu

3.You are prompted to present the original gray key(s) and then to create a new Crypto User keyset. See Creating PED keys.

NOTE   The Luna PED screen prompts for a black PED key for any of

>"User",

>"Crypto Officer",

>"Limited Crypto Officer",

>"Crypto User".

The Luna PED is not aware that the key you present has a black or a gray sticker on it. The colored stickers are visual identifiers for your convenience in keeping track of your PED keys. You differentiate by how you label, and how you use, a given physical key that the Luna PED sees as "black" (once it has been imprinted with a secret).

White Audit User PED key

The Audit User can use this procedure to change the Audit User credential.

To change the white Audit User PED key credential

1.In LunaCM, set the active slot to the Admin partition and login as Auditor.

lunacm:> role login -name au

2.Initiate the PED key change.

lunacm:> role changepw -name au

3.You are prompted to present the original white key(s) and then to create a new Audit User keyset. See Creating PED keys.