Consequences of Losing PED keys

PED keys are the only means of authenticating roles, domains, and RPVs on the multifactor quorum-authenticated Luna PCIe HSM 7. Losing a keyset effectively locks the user out of that role. Always keep secure backups of your PED keys, including quorum (M of N) split secrets. Forgetting the PIN associated with a key is equivalent to losing the key entirely. Losing a split-secret key is less serious, unless enough splits are lost so that M cannot be satisfied.

If a PED key is lost or stolen, log in with one of your backup keys and change the existing PED key secret immediately, to prevent unauthorized HSM access.

The consequences of a lost PED key with no backup vary depending on the type of secret:

>Blue HSM SO PED key

>Red HSM Domain PED key

>Orange Remote PED key

>Blue Partition SO PED key

>Red Partition Domain PED key

>Black Crypto Officer PED key

>Gray Crypto User PED key

>White Audit User PED key

Blue HSM SO PED key

If the HSM SO secret is lost, you can no longer perform administrative tasks on the HSM, including partition creation and client assignment. If you use the same blue SO key for your HSM backup partitions, the contents of the HSM Admin partition are unrecoverable. Take the following steps:

1.Contact all Crypto Officers and have them immediately make backups of their existing partitions at the client.

2.When all important partitions are backed up, execute a factory reset of the HSM.

3.Initialize the HSM and create a new HSM SO secret. Use the original red HSM cloning domain key.

4.Restore the HSM Admin partition contents from a recent backup, if you have one.

5.If you are using Remote PED, you must recreate the Remote PED Vector (RPV). Reuse the original orange key.

6.Recreate the partitions and reassign them to their respective clients.

7.Partition SOs must initialize the new partitions using their original blue and red key(s), and initialize the Crypto Officer role (and Activation secret, if applicable). Supply the new black CO keys to the Crypto Officers.

8.Crypto Officers must change the login credentials from the new black CO key to their original black keys (and reset the Activation secret password, if applicable).

9.Crypto Officers can now restore all partition contents from backup.

Red HSM Domain PED key

If the HSM Key Cloning Vector is lost, you can no longer perform backup/restore operations on the HSM Admin partition(s). If the HSM is factory-reset, the contents of the HSM Admin partition are unrecoverable. Follow the same procedure as you would if you lost the blue HSM SO key, but you cannot restore the HSM Admin partition from backup.

Orange Remote PED key

If the Remote PED Vector is lost, create a new one and distribute a copy to the administrator of each Remote PED server. See Rotating or Re-Initializing the Orange Remote PED key.

Blue Partition SO PED key

If the Partition SO secret is lost, you can no longer perform administrative tasks on the partition. Take the following steps:

1.Have the Crypto Officer immediately make a backup of the partition objects.

2.Have the HSM SO delete the partition, create a new one, and assign it to the same client.

3.Initialize the new partition with a new blue Partition SO key and the original red cloning domain key(s).

4.Initialize the Crypto Officer role (and Activation secret, if applicable). Supply the new black CO key to the Crypto Officer.

5.The Crypto Officer must change the login credentials from the new black CO key to their original black key (and reset the Activation secret password, if applicable).

6.The Crypto Officer can now restore all partition contents from backup.

Red Partition Domain PED key

If the Partition Key Cloning Vector is lost, you can no longer perform backup/restore operations on the partition(s), or make changes to HA groups in that cloning domain. You can still perform all other operations on the partition. Take the following steps:

1.Have the HSM SO create a new partition (or multiple partitions, to replace the entire HA group) and assign it to the same client(s).

2.Initialize the partition(s)with a new cloning domain.

3.Initialize the Crypto Officer role with the original black Crypto Officer key (and Activation password, if applicable).

4.Create objects on the new partition to replace those on the original partition.

5.As soon as possible, change all applications to use the objects on the new partition.

6.When objects on the original partition are no longer in production use, the HSM SO can delete the original partition.

Black Crypto Officer PED key

If the Crypto Officer secret is lost, you can no longer create objects on the partition, or perform backup/restore operations. You might still be able to use the partition, depending on the following criteria:

>PIN reset by Partition SO:

If HSM policy 15: Enable SO reset of partition PIN is set to 1, the Partition SO can reset the Crypto Officer secret and create a new black CO key.

lunacm:>role resetpw -name co

If this policy is set to 0 (default), the CO is locked out unless other criteria in this list apply.

>Partition Activation:

If the partition is Activated, you can still access it for production using the CO challenge secret. Change your applications to use objects on a new partition as soon as possible.

If the partition is not Activated, read-only access of essential objects might still be available via the Crypto User role.

>Crypto User

If the Crypto User is initialized, you can use the CU role for read-only access to essential partition objects while you change your applications to use objects on a new partition.

If none of these criteria apply, the contents of the partition are unrecoverable.

Gray Crypto User PED key

If the Crypto User secret is lost, the Crypto Officer can reset the CU secret and create a new gray key:

lunacm:>role resetpw -name cu

White Audit User PED key

If the Audit User secret is lost, you can no longer cryptographically verify existing audit logs or make changes to the audit configuration. The existing logs can still be viewed. Re-initialize the Audit User role on the affected HSMs, using the same white key for HSMs that will verify each other's logs.