The HSM can be configured to suit the cryptographic needs of your organization. Configurable functions are governed by the following settings:
>HSM Capabilities are features of HSM functionality, set at manufacture based on the HSM model you selected at time of purchase. Some capabilities have corresponding modifiable HSM policies.
>HSM Policies are configurable settings that allow the HSM Security Officer to modify the function of their corresponding capabilities. Some policies affect HSM-wide functionality, and others allow further customization of individual partitions by the Partition Security Officer.
The table below describes all Luna USB HSM 7 capabilities, their corresponding policies, and the results of changing their settings. This section contains the following procedures:
>Setting HSM Policies Manually
>Setting HSM Policies Using a Template
To zeroize the HSM and revert policies to their default values, see Resetting to Factory Condition.
To zeroize the HSM and keep the existing policy settings, use
NOTE Regarding Capabilities and Policies - as a general rule, when firmware is updated, a given policy retains whatever value it had (default or your setting), before the update. Some firmware versions introduce new capabilities with their accompanying policies. The listed default setting of a policy is the expected setting
•if the Capability and Policy was not in existence,
or
•if the Policy was not changed,
before a firmware update.
Rolling back the HSM firmware or resetting the HSM to factory conditions restores that version's default settings for all policies.
Applying a non-default policy setting should be [re-]done after updating firmware from factory settings.
Destructive Policies
Some policies affect the security of the HSM. As a security measure, changing those security-affecting policies results in application partitions, or the entire HSM, being zeroized. Among those listed below, such policies are marked as Destructive.
| # | HSM Capability | HSM Policy |
|---|---|---|
| 0 |
Enable PIN-based authentication Always 1. The HSM can authenticate users with keyboard-entered passwords. |
PIN-based authentication Displays 1 if you chose password authentication at the time of HSM initialization. |
| 1 |
Enable PED-based authentication Always 1. The HSM can authenticate users with secrets stored on physical iKeys (multifactor quorum authentication) inserted into the Luna USB HSM 7. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret. |
PED-based authentication Displays 1 if you chose multifactor quorum authentication at the time of HSM initialization. |
| 2 |
Performance level This value is standard on all Luna USB HSM 7s. |
N/A |
| 4 |
Enable domestic mechanisms & key sizes Always |
N/A |
|
6 |
Enable masking Always 1. |
Destructive If this policy is allowed, see partition policy 3: Allow private key masking and partition policy 7: Allow secret key masking. |
|
7 |
Enable cloning Always |
Destructive >1 (default): The HSM may clone cryptographic objects from one partition to another. This is required to back up partitions. The Partition SO can enable/disable cloning on individual partitions. >0: |
|
9 |
Enable full (non-backup) functionality Always 1. The Luna USB HSM 7 is capable of full cryptographic functions. |
N/A |
|
12 |
Always . The HSM can use all cryptographic algorithms described in Supported Mechanisms. |
Destructive * >1 (default): The HSM may use all available cryptographic algorithms, meaning all the FIPS-approved algorithms as well as all the non-FIPS algorithms. >0: Only algorithms sanctioned by the FIPS 140 standard are permitted. Some of these algorithms will have certain operations restricted; refer to your firmware version in Supported Mechanisms for more information. NOTE When C_GetMechanismInfo is called and the HSM policy “Allow NonFIPS Algorithms” is disabled: >If a mechanism has the WRAP flag set and MPE_NO_WRAP, the WRAP flag is not returned by the HSM as part of the mechanism info. >If a mechanism has the SIGN flag set and MPE_NO_SIGN, the SIGN flag is not returned by the HSM as part of the mechanism info. When the policy is enabled, the HSM returns all the flags that are applicable to the requested mechanism. This policy must be set to 1 if FIPS compliance is to be set on a per-partition basis using partition policy 43: Allow non-FIPS algorithms (requires Luna USB HSM 7 Firmware 7.9.2 or newer). |
|
15 |
Enable SO reset of partition PIN Always >the Partition SO to reset the password or iKey secret of the Crypto Officer. >the Crypto Officer to reset the password or iKey secret of the Crypto User. |
Destructive >1: Partition SO may reset the password or iKey secret of a Crypto Officer who has been locked out after too many failed login attempts. >0 (default): The CO lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device. See Resetting the Crypto Officer or Crypto User Credential. |
|
16 |
Enable network replication Always NOTE Using Luna USB HSM 7 Firmware 7.9.2 and newer, this setting is ignored when partition policy 44: Allow Extended Domain Management is enabled for Universal Cloning. |
>1 (default): Cloning of cryptographic objects is permitted over a network. Remote backup is allowed >0: Cloning over a network is not permitted. Partition backup is possible to a locally-connected Luna Backup HSM only. |
|
17 |
Enable Korean Algorithms Always 0. The Korea-specific algorithm set is not currently available for Luna USB HSM 7. |
N/A |
|
19 |
Manufacturing Token Always |
N/A |
|
21 |
Enable forcing user PIN change Always |
Force user PIN change after set/reset > (default): After the Partition SO initializes or resets the Crypto Officer credential, the CO must change the credential before any other actions are permitted. This also applies when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition. >: The CO/CU may continue to use the credential assigned by the Partition SO. See Changing a Partition Role Credential. |
|
22 |
Enable offboard storage Always |
Destructive Deprecated policy with no application to Luna 7. Default: 1 |
|
23 |
Enable partition groups Always |
N/A |
|
25 |
Enable Remote PED usage Always on multifactor quorum-authenticated HSMs. Always on password-authenticated HSMs. Always 1 on Luna USB HSM 7. |
>1 (default): >0: |
|
27 |
HSM non-volatile storage space Displays the maximum non-volatile storage space (in bytes) on the HSM. |
N/A |
|
30 |
Enable Unmasking Always |
>1 (default): Cryptographic objects may be migrated from legacy Luna HSMs that used SIM. >0: Migration from legacy HSMs using SIM is not possible. |
|
33 |
Maximum number of partitions
|
Current maximum number of partitions N/A |
|
35 |
Enable Single Domain Always |
N/A |
|
36 |
Enable Unified PED Key Always |
N/A |
|
37 |
Enable MofN Always 1. |
>1 (default): During iKey creation, you have the option to require a quorum to authenticate the role, by splitting the authentication secret among multiple iKeys. See M of N Split Secrets (Quorum). >0: Users do not have the option to split iKey secrets (M and N are automatically set to 1). |
|
38 |
Enable small form factor backup/restore Always |
N/A |
|
40 |
Enable decommission on tamper Always 0. Not applicable to Luna USB HSM 7. |
N/A |
|
42 |
Enable partition re-initialize Always |
N/A |
|
43 |
Enable low level math acceleration Always . This capability enables acceleration of cryptographic functionality for maximum HSM performance. |
Allow low-level math acceleration > (default): Provides maximum HSM performance. >: Do not turn this policy off unless instructed by Thales Technical Support. |
|
46 |
Allow Disabling Decommission Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 48 |
Enable Controlled Tamper Recovery Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 49 |
Enable Partition Utilization Metrics Always |
Allow Partition Utilization Metrics >1: The HSM SO can view Partition Utilization Metrics. >0 (default): Partition Utilization Metrics are not available. See Partition Utilization Metrics for more information. |
| 50 |
Enable Functionality Modules Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 51 |
Enable SMFS Auto Activation Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 52 |
Allow Restricting FM Privilege Level Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 53 |
Allow Encrypting of Keys from FM to HSM Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 55 |
Enable Restricted Restore This capability allows the HSM SO to restrict a Luna Backup HSM 7 from being used with firmware older than Luna HSM Firmware 7.7.0, for any purpose other than to migrate cryptographic objects to Luna HSM Firmware 7.7.0 or newer. See Behavior of Pre-Firmware 7.7, V0, and V1 Partitions for more information. Appears on Luna Backup HSM 7 running Luna Backup HSM 7 Firmware 7.7.1 or newer. NOTE This capability/policy does not appear on Luna USB HSM 7. This setting is visible in LunaCM when the active slot is set to a Luna Backup HSM 7. |
ON-to-OFF Destructive >1: Objects backed up from pre-7.7.0 firmware partitions can only be restored to V0 or V1 partitions (Luna HSM Firmware 7.7.0 or newer). Enable this policy to ensure FIPS compliance. >0 (default): Objects backed up from pre-7.7.0 firmware partitions can be restored to pre-7.7.0 firmware partitions. Do not use this setting if you require FIPS compliance. CAUTION! FIPS compliance requires that objects are never cloned or restored to an HSM using less secure firmware, and this includes restoring from Luna Backup HSM 7 firmware. If you have backups already stored on the Luna Backup HSM 7 that were taken from pre-7.7.0 partitions, turning this policy ON will prevent you from restoring them to the same source partition. You must update the HSM containing the source partition to Luna HSM Firmware 7.7.0 or newer before restoring from backup. |
| 56 |
Enable User Defined ECC Curves Always 1 using Luna USB HSM 7 Firmware 7.7.3 or newer. This capability allows the HSM SO to restrict or allow the use of user-defined ECC curves. The state of the associated policy is preserved through firmware update. |
Destructive >1: User-defined ECC curves can be used, without restriction. >0 (default): Named curves (that we have verified) can still be used, as can user-defined ECC curves where the named-curve parameters are provided. User-defined ECC curves that cannot map to built-in named curves during key-pair generation, public key creation, private key unwrapping, cloning or SKS, and key derivation, return the error ECC_CURVE_NOT_ALLOWED. Named-curve samples are provided when you include the SDK option while installing Luna HSM Client. The files must be unmodified. /usr/safenet/lunaclient/samples/ecc_examples >bpP160r1.txt >bpP512t1.txt >x962_char2_163v1.txt >bpP192r1.txt >secp384r1.txt >x962_char2_359V1.txt >bpP224r1.txt >bpP384R1.txt >sm2p256v1.txt NOTE For FIPS compliance, NIST requires us to make security claims with respect to the curves that we support. It is impossible to test and report on all possible user-defined ECC curves. Therefore, commonly-used, named curves are explicitly tested, documented to comply with FIPS requirements, and allowed in FIPS 140 approved configuration (formerly FIPS mode). |
| 57 |
Enable Sync with Host Time Always 1 using Luna USB HSM 7 Firmware 7.9.2 or newer. This capability enables the HSM SO to automatically synchronize the HSM's time to the host system time every 24 hours. |
>1: The HSM's time is synchronized to the host system time once every 24 hours. The maximum drift that is allowed to be synchronized by this policy is 3 seconds. If the HSM time and the host time have drifted by more than 3 seconds in the last 24 hours, a log entry is created instead:
This applies to the first synchronization as well -- set the time manually using As a best practice for on-premises HSMs, this policy should be on. As well, time should be synchronized after every HSM or host reboot, due to cloning protocol version 4 (CPv4) requiring close synchronization, and newer algorithms having tight timing tolerances as well. >0 (default): HSM time is not automatically synchronized to host time. The HSM SO can still synchronize the clocks manually. |
| 58 |
Enable Unrestricted Metrics Access Using Luna USB HSM 7 Firmware 7.9.2 or newer, this capability enables collection of partition utilization metrics without the SO logged into the HSM. |
Allow Unrestricted Metrics Access >1: Partition utilization metrics can be viewed, collected and reset without need for SO login. >0(default): The HSM SO must log into the HSM before partition utilization metrics can be captured or reset. See Partition Utilization Metrics for more information. |
* The Backup HSM performs only backup and restore operations and is not a general-purpose HSM. It has no information about the origin of keys or objects. In the case of FIPS 140 approved configuration (formerly FIPS-mode) or non-FIPS the status of a source HSM (Policy 12) is not noticed, and a target HSM decides what to do with keys from a restore operation. However, the actions of a Backup HSM can be affected by the cloning protocol that is used - see Policy 55.
