hsm smkrollover
This is a two-part command that creates a new secret (SKS master key or SMK) to encrypt objects for extraction in encrypted blobs. It is issued twice to perform the full rollover task:
>once with the -start option, and then
>a second time, with the -end option, to finish the sequence.
This command, with the -start option, moves the current primary SMK to the Rollover location, and generates a new Primary SMK.
>If you just wanted to generate a fresh SMK, and no external SKS blobs are encrypted with the previous SMK, then you can issue the command again with the -end option, and the task is finished.
>If you are performing a rollover of an active SMK that was used to encrypt extracted keys and objects (as you might do, in compliance with your organization's key-rotation policy), then immediately after hsm smkrollover -start, you must
•insert sequentially any SKS blobs that are encrypted by the old SMK, and
•re-extract each key or object encrypted by the new SMK, forming new encrypted blobs (binary large objects).
The HSM recognizes which SMK was used to encrypt a blob, and if it is the rollover SMK (or if it is an SMK from a previous HSM generation, currently in the appropriate 'legacy' SMK location), it uses that prior SMK for the insertion. [Re-]extraction always uses the Primary SMK, which would be the new one.
When all desired keys and objects have been re-extracted into newly encrypted blobs, the hsm smkrollover -end command finishes the process.
CAUTION! The hsm smkrollover -end command deletes the SMK from the Rollover space of the current partition, leaving only the new SMK in the Primary space. If you have exported any SKS blobs using the old SMK, that you have not re-extracted with the new Primary SMK, then those blobs can never be inserted again, unless you have retained a backup of the old SMK.
NOTE The hsm commands appear only when LunaCM's active slot is set to the administrative partition.
Syntax
hsm smkrollover {[-start] | [-end]} [-force]
| Argument | Shortcut | Description |
|---|---|---|
| -end | -e | End SMK rollover and delete the Rollover SMK. |
| -force | -f | Force the action without prompting for confirmation (useful when scripting commands). |
| -start | -s | Start SMK rollover, moving the pre-existing SMK to the Rollover space, and creating a new SMK in the Primary SMK space. |
Example
lunacm:> hsm smkrollover -start
You are about to rollover the SMK.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
Between issuing the -start and -end commands, insert and re-extract any SKS blobs that were encrypted/extracted with the old SMK, so that they are now encrypted with the new (Primary) SMK and stored externally to the cryptographic module.
lunacm:> hsm smkrollover -end
You are about to rollover the SMK.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now -> proceed
Command Result : No Error
