Configuring the Partition for Cloning or Export of Private/Secret Keys
By default, the Luna PCIe HSM 7 stores all keys in hardware, allowing private asymmetric and secret keys to be copied only to another Luna HSM (cloning). Cloning allows you to move or copy key material from a partition to a backup HSM or to another partition in the same HA group. You might, however, want to export private or secret keys to an encrypted file for off-board storage or use. Individual partitions can be configured in one of three modes for handling private keys.
NOTE This feature requires Luna HSM Firmware 7.1.0 or newer.
The Partition SO can set the mode by changing the following policies (see Partition Capabilities and Policies for more information):
>Partition policy 0: Allow private key cloning (default: 1)
>Partition policy 1: Allow private key wrapping (default: 0)
NOTE These partition policies can never be set both to 1 (ON) at the same time. An error will result (CKR_CONFIG_FAILS_DEPENDENCIES) if it is attempted.
The policies can be set at the time of initialization, using a policy template (see Setting Partition Policies Using a Template) or by following the procedures described below:
NOTE Partition configurations are listed in LunaCM as "Key Export With Cloning Mode". This indicates that the partition is capable of being configured for either Key Export or Cloning, with the mode of operation defined by the policies listed above. You can never configure a partition to allow both export and cloning of private keys at once.
TIP Security Note -Cloning policies (0 and 4) permit or deny the ability to securely copy keys and objects into and out of a partition.
The Key Management Functions policy (28) controls the ability to create, delete, generate, derive, or modify cryptographic objects in the current partition.
These controls are independent of each other. With Key Management functions denied, you can still clone objects in and out of partitions where Cloning policy is allowed. Thus HA (high availability) operation can clone keys into a partition that disallows Key Management functions (creation, deletion, etc.). Cloning a key or object into a partition is not considered creation - the key or object already existed within the security / cloning domain that encompasses the partition.
Ultimately the security administrators define where keys can exist by controlling distribution of the security / cloning domain, and by defining policies around those keys.
Additionally, key owners can choose to make their keys non-modifiable and non-extractable, if those options are indicated by your use-case.
Cloning Mode
A partition in Cloning mode has the following capabilities and restrictions:
>All keys/objects can be cloned to another partition or Luna Backup HSM in the same cloning domain.
>All keys/objects are replicated within the partition's HA group.
>Private asymmetric keys cannot be wrapped off the HSM (cannot be exported to a file encrypted with a wrapping key).
In this mode, private keys are never allowed to exist outside of a trusted Luna HSM in the designated cloning domain. Cloning mode is the default setting for new partitions.
Setting Cloning Mode on a Partition
Cloning mode is the default setting on new partitions. If another mode was set previously, the Partition SO can use the following procedure to set Cloning mode. Use lunacm:> partition showpolicies to see the current policy settings.
CAUTION! Partition policy 0: Allow private key cloning is Off-to-On destructive by default. Back up any important cryptographic material on the partition before continuing. This destructiveness setting can be customized by initializing the partition with a policy template (see Editing a Partition Policy Template).
To manually set Cloning mode on a partition
1.Log in to the partition as Partition SO.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name po
2.Set partition policy 1: Allow private key wrapping to 0 (OFF).
lunacm:> partition changepolicy -policy 1 -value 0
3.Set partition policy 0: Allow private key cloning to 1 (ON).
lunacm:> partition changepolicy -policy 0 -value 1
To initialize a partition in Cloning mode using a policy template
Use a standard text editor to include the following lines in the policy template file (see Editing a Partition Policy Template):
0:"Allow private key cloning":1:1:0 1:"Allow private key wrapping":0:1:0
Key Export Mode
A partition in Key Export mode has the following capabilities and restrictions:
>Private asymmetric keys cannot be cloned to other partitions nor to a Luna Backup HSM.
>The partition cannot be part of an HA group (private keys will not be replicated).
>All keys/objects, including private keys, can be wrapped off the HSM (can be exported to a file encrypted with a wrapping key).
This mode is useful when generating key pairs for identity issuance, where transient key-pairs are generated, wrapped off, and embedded on a device. They are not used on the HSM, but generated and issued securely, and then deleted from the HSM. This applies to V0 partitions only; V1 partitions cannot enable this mode.
Setting Key Export Mode on a Partition
The Partition SO can use the following procedure to set Key Export mode. Use lunacm:> partition showpolicies to see the current policy settings.
CAUTION! Partition policy 1: Allow private key wrapping is always Off-to-On destructive. Back up any important cryptographic material on the partition before continuing. This destructiveness setting cannot be changed with a policy template (see Editing Guidelines and Restrictions).
To manually set Key Export mode on a partition
1.Launch LunaCM and log in to the partition as Partition SO.
lunacm:> slot set -slot <slotnum>
lunacm:> role login-name po
2.Set partition policy 0: Allow private key cloning to 0 (OFF).
lunacm:> partition changepolicy -policy 0 -value 0
3.Set partition policy 1: Allow private key wrapping to 1 (ON).
lunacm:> partition changepolicy -policy 1 -value 1
To initialize a partition in Key Export mode using a policy template
Use a standard text editor to include the following lines in the policy template file (see Editing a Partition Policy Template):
0:"Allow private key cloning":0:1:0 1:"Allow private key wrapping":1:1:0
No Backup Mode
A partition in No Backup mode has the following restrictions:
>Private asymmetric keys cannot be cloned to other partitions or to a Luna Backup HSM. All other objects can still be cloned.
>Private asymmetric keys cannot be wrapped off the HSM (exported to a file encrypted with a wrapping key). All other objects can still be wrapped off.
Without backup capability, private keys can never leave the HSM. This mode is useful when keys are intended to have short lifespans, and are easily replaced.
Setting No Backup Mode on a Partition
The Partition SO can use the following procedure to set No Backup mode. Use lunacm:> partition showpolicies to see the current policy settings.
To manually set No Backup mode on a partition
1.Launch LunaCM and log in to the partition as Partition SO.
lunacm:> slot set -slot <slotnum>
lunacm:> role login -name po
2.If partition policy 0: Allow private key cloning is set to 1 (ON), set it to 0 (OFF).
lunacm:> partition changepolicy -policy 0 -value 0
3.If partition policy 1: Allow private key wrapping is set to 1 (ON), set it to 0 (OFF).
lunacm:> partition changepolicy -policy 1 -value 0
To initialize a partition in No Backup mode using a policy template
Use a standard text editor to include the following lines in the policy template file (see Editing a Partition Policy Template):
0:"Allow private key cloning":0:1:0 1:"Allow private key wrapping":0:1:0