iKey Management Using Luna USB HSM 7
Once you have connected your Luna USB HSM 7 to a workstation and installed Luna HSM Client, you can proceed with initializing roles on the HSM using multifactor quorum authentication. The procedures in this section will guide you through the touchscreen prompts at each stage of iKey creation, authentication, and other iKey operations with the Luna USB HSM 7.
>Creating iKey Using Luna USB HSM 7
>Authenticating a Role Using Luna USB HSM 7
>Identifying an iKey Secret Using Luna USB HSM 7
>Duplicating an Existing iKey Using Luna USB HSM 7
Creating iKey Using Luna USB HSM 7
When you initialize an HSM, partition, or role, the Luna USB HSM 7 issues a series of prompts for you to follow to create your iKeys. iKey actions have a timeout setting (default: 120 seconds); ensure that you have everything you need before issuing an initialization command. The requirements for the operation depend on the iKey scheme you have chosen in advance, based on your organization's security policy. Consider these guidelines before you begin:
>If you are reusing an existing iKey or keyset, the owners of those keys must be present with their iKey and PINs ready.
>If you plan to use an M of N authentication scheme (quorum, or split-secret), all the parties involved must be present and ready to create their authentication split. It is advisable for each iKey holder to create backup duplicates, so you must have a sufficient number of blank or rewritable iKeys ready before you begin.
>If you plan to make backup duplicates of iKeys, you must have a sufficient number of blank or rewritable iKeys ready.
>If you plan to use PINs, ensure that they can be privately entered on the Luna USB HSM 7 and memorized, or written down and securely stored.
NOTE Whenever the Luna USB HSM 7 prompts you to insert an iKey, use the USB-C adapter in the USB port on the right side of the Luna USB HSM 7:
To initiate iKey creation
1.Issue one of the following LunaCM commands to initialize the applicable role, domain, or vector.
•Blue HSM SO and Red HSM Domain Keys:
lunacm:> hsm init -label <label> -iped
•Orange Remote iKey:
lunacm:> ped vector init
•Blue Partition SO and Red Partition Domain iKeys:
lunacm:> partition init
•Black Crypto Officer iKey:
lunacm:> role init -name co
•Gray Limited Crypto Officer iKey
lunacm:> role init -name lco
•Gray Crypto User iKey:
lunacm:> role init -name cu
•White Audit User iKey:
lunacm:> role init -name au
2.Follow the touchscreen prompts in the following four stages.
Stage 1: Reusing Existing iKeys
If you want to use an iKey or quorum of iKeys with an existing authentication secret, have them ready to present to the HSM. Reasons for reusing iKeys may include:
>You want to use the same iKey to authenticate multiple HSMs/partitions
>You want to initialize a partition in an already-existing cloning domain (to allow cloning of cryptographic objects between partitions)
CAUTION! The initialization procedure is the only opportunity to set the HSM/partition's cloning domain. It cannot be changed later without reinitializing the HSM, or deleting and recreating the partition. Ensure that you have the correct red key(s) ready.
See Shared iKey Secrets and Domain iKeys for more information.
The first touchscreen prompt asks if you want to create a new quorum of iKeys or reuse an existing quorum. Make your selection and follow the instructions on the touchscreen. If you are creating a new quorum, go to Stage 2: Defining M of N.
Stage 2: Defining M of N
If you chose to create a new keyset, the Luna USB HSM 7 prompts you to define the M of N scheme (quorum and pool of splits) for the role, domain, or vector. See M of N Split Secrets (Quorum) for more information. If you do not want to use M of N (authentication by one iKey), enter a value of 1 for both M and N.
For each iKey in the quorum, proceed to Stage 3: Setting a PIN.
Stage 3: Setting a PIN
If you are creating a new iKey, you have the option of setting a PIN that must be entered by the key owner during authentication. PINs must be 4-48 digits long. Do not use 0 for the first digit. See iKey PINs for more information.
CAUTION! If you forget your PIN, it is the same as losing the iKey entirely; you cannot authenticate the role. See Consequences of Losing iKeys.
You now have the opportunity to create a duplicate of the new iKey in Stage 4: Duplicating New iKey. If you decline to create a duplicate now, repeat this stage for each new iKey in the quorum.
Stage 4: Duplicating New iKey
You now have the option to create duplicates of your newly-created iKey(s) in case of key loss or theft.
Authenticating a Role Using Luna USB HSM 7
When connected, the Luna USB HSM 7 responds to authentication commands in LunaCM. Commands that require authentication include:
>Role login commands (blue, black, gray, or white iKeys)
>Backup/restore commands (red iKeys)
>Remote PED connection commands (orange iKey)
When you issue a command that requires authentication, the interface returns a message like the following:
lunacm:>role login -name po
Please attend to the PED.
Whenever the Luna USB HSM 7 prompts you to insert a iKey, use the USB port on the right side of the Luna USB HSM 7:
CAUTION! Multiple failed authentication attempts result in zeroization of the HSM or partition, or role lockout, depending on the role. This is a security measure designed to thwart repeated, unauthorized attempts to access cryptographic material. For details, see Logging In as HSM Security Officer or Logging In to the Application Partition.
To perform multifactor quorum authentication
1.The touchscreen prompts for the corresponding iKey. Insert the iKey (or the first M of N split-secret key) and follow the instructions on the touchscreen.
lunacm:>role login -name po
Please attend to the PED.
•If the key you inserted has an associated PIN, continue to step 2.
•If the key you inserted has no PIN, but it is an M of N split, skip to step 3.
•Otherwise, authentication is complete and the Luna USB HSM 7 returns control to the command interface.
Command Result : No Error
2.If a PIN is associated with the iKey, the touchscreen prompts for the PIN.
•If the key you inserted is an M of N split, continue to step 3.
•Otherwise, authentication is complete and the Luna USB HSM 7 returns control to the command interface.
Command Result : No Error
3.The touchscreen prompts for the next M of N split-secret key. Insert the next iKey and press Enter.
•If the key you inserted has an associated PIN, return to step 2.
•Repeat steps 2 and/or 3 until the requisite M number of keys have been presented. At this point, authentication is complete and the Luna USB HSM 7 returns control to the command interface.
Command Result : No Error
NOTE When authenticating an M of N split secret, the Luna USB HSM 7 cannot tell if an iKey PIN is entered incorrectly until the whole secret is reassembled. Therefore, PIN entry will appear to succeed and the authentication operation will only fail when all M iKeys have been presented.
Consequences of Losing iKeys
iKeys are the only means of authenticating roles, domains, and RPVs on the multifactor quorum-authenticated Luna USB HSM 7. Losing an iKey effectively locks the user out of that role. Always keep secure backups of your iKeys, including M of N split secrets. Forgetting the PIN associated with an iKey is equivalent to losing the iKey entirely. Losing a split-secret iKey is less serious, unless enough splits are lost so that M cannot be satisfied.
If an iKey is lost or stolen, log in with one of your backup keys and change the existing role secret immediately, to prevent unauthorized HSM access.
The consequences of a lost iKey with no backup vary depending on the type of secret:
Blue HSM SO iKey
If the HSM SO secret is lost, you can no longer perform administrative tasks on the HSM, including partition creation and client assignment. The contents of the HSM Admin partition are unrecoverable and you can no longer configure the HSM. Take the following steps:
1.Contact the Crypto Officer and have them immediately make a backup of their existing partition.
2.When all important cryptographic material is backed up, execute a factory reset of the HSM.
3.Initialize the HSM and create a new HSM SO secret.
4.Recreate the application partition.
5.The Partition SO must initialize the new partition using their original blue and red iKey(s), and initialize the Crypto Officer role (and Activation secret, if applicable). Supply the new black CO iKey to the Crypto Officer.
6.The Crypto Officer must change the login credentials from the new black CO iKey to their original black iKeys (and reset the Activation secret password, if applicable).
7.The Crypto Officer can now restore all partition contents from backup.
8.If you are using Remote PED, you must recreate the Remote PED Vector (RPV). You can re-use the original orange iKey.
Red HSM Domain iKey
If the HSM Key Cloning Vector is lost, you can no longer perform backup/restore operations on the HSM Admin partition. If the HSM is factory-reset, the contents of the HSM Admin partition are unrecoverable. Follow the same procedure as you would if you lost the blue HSM SO key, but you cannot restore the HSM Admin partition from backup.
Blue Partition SO iKey
If the Partition SO secret is lost, you can no longer perform administrative tasks on the partition. Take the following steps:
1.Have the Crypto Officer immediately make a backup of the partition objects.
2.Have the HSM SO delete the partition, create a new one, and assign it to the same client.
3.Initialize the new partition with a new blue Partition SO key and the original red cloning domain key(s).
4.Initialize the Crypto Officer role (and Activation secret, if applicable). Supply the new black CO key to the Crypto Officer.
5.The Crypto Officer must change the login credentials from the new black CO key to their original black key (and reset the Activation secret password, if applicable).
6.The Crypto Officer can now restore all partition contents from backup.
Red Partition Domain iKey
If the Partition Key Cloning Vector is lost, you can no longer perform backup/restore operations on the partition(s), or make changes to HA groups in that cloning domain. You can still perform all other operations on the partition. Take the following steps:
1.Have the HSM SO create a new partition (or multiple partitions, to replace the entire HA group) and assign it to the same client(s).
2.Initialize the partition(s)with a new cloning domain.
3.Initialize the Crypto Officer role with the original black Crypto Officer key (and Activation password, if applicable).
4.Create objects on the new partition to replace those on the original partition.
5.As soon as possible, change all applications to use the objects on the new partition.
6.When objects on the original partition are no longer in production use, the HSM SO can delete the original partition.
Black Crypto Officer iKey
If the Crypto Officer secret is lost, you can no longer create objects on the partition, or perform backup/restore operations. You might still be able to use the partition, depending on the following criteria:
>PIN reset by Partition SO:
•If HSM policy 15: Enable SO reset of partition PIN is set to 1, the Partition SO can reset the Crypto Officer secret and create a new black CO key.
lunacm:>role resetpw -name co
•If this policy is set to 0 (default), the CO is locked out unless other criteria in this list apply.
>Partition Activation:
•If the partition is Activated, you can still access it for production using the CO challenge secret. Change your applications to use objects on a new partition as soon as possible.
•If the partition is not Activated, read-only access of essential objects might still be available via the Crypto User role.
>Crypto User
•If the Crypto User is initialized, you can use the CU role for read-only access to essential partition objects while you change your applications to use objects on a new partition.
If none of these criteria apply, the contents of the partition are unrecoverable.
Gray Crypto User iKey
If the Crypto User secret is lost, the Crypto Officer can reset the CU secret and create a new gray key:
lunacm:>role resetpw -name cu
White Audit User iKey
If the Audit User secret is lost, you can no longer cryptographically verify existing audit logs or make changes to the audit configuration. The existing logs can still be viewed. Re-initialize the Audit User role on the affected HSMs, using the same white key for HSMs that will verify each other's logs.
Identifying an iKey Secret Using Luna USB HSM 7
You can use this procedure to identify the type of secret (role, domain, or RPV) stored on an unidentified iKey. This procedure will not tell you:
>identifying information about the HSM the key is associated with
>whether the key is part of an M of N scheme, or how many keys are in the set
>whether the key has a PIN assigned
>who the key belongs to
You require:
>Luna USB HSM 7 in Admin Mode
>the key you want to identify
To identify the type of secret stored on the iKey
1.Insert the iKey you want to identify.
2.Tap the ADMIN tab on the touchscreen to enter Admin mode.
The role secret type is identified on-screen.
Duplicating an Existing iKey Using Luna USB HSM 7
During the key creation process, you have the option to create multiple copies of iKeys. If you want to make backups of your keys later, you can use this procedure to copy iKeys. You require:
>Luna USB HSM 7 in Admin Mode
>Enough blank or rewritable keys to make your copies
The iKey is duplicated exactly by this process. If there is a PIN assigned, the same PIN is assigned to the duplicate key. If the key is part of an M of N scheme, the duplicates may not be used in the same login process to satisfy the M of N requirements. You must also have copies of the other keys in the M of N keyset. See M of N Split Secrets (Quorum).
To duplicate an existing iKey
1.Insert the iKey you want to duplicate. Have a blank or rewritable iKey ready.
2.Tap the ADMIN tab on the touchscreen to enter Admin mode.
3.Tap Duplicate this iKey and follow the instructions on the touchscreen.
Changing an iKey Credential
It may be necessary to change the iKey secret associated with a role. Reasons for changing credentials include:
>Regular credential rotation as part of your organization's security policy
>Compromise of a role due to loss or theft of a iKey
>Personnel changes in your organization or changes to individual security clearances
>Changes to your security scheme (implementing/revoking M of N, PINs, or shared secrets)
The procedure for changing a iKey credential depends on the type of key. Procedures for each type are provided below.
CAUTION! If you are changing an iKey credential that is shared among multiple HSMs/partitions/roles, always keep at least one copy of the old keyset until the affected HSMs/partitions/roles are all changed to the new credential. When changing iKey credentials, you must always present the old keyset first; do not overwrite your old iKeys until you have no further need for them.
If you overwrite the original iKey with a new credential and the operation fails, it is possible for the iKey credential to be overwritten while the role remains tied to the old credential. If this happens, all login attempts with the overwritten iKey will fail. Ensure that you keep at least one backup copy of the old iKey credential until the role is successfuly set to a new credential.
>Orange Remote PED Vector iKey
Blue HSM SO iKey
The HSM SO can use this procedure to change the HSM SO credential.
To change the blue HSM SO iKey credential
1.In LunaCM, set the active slot to the Admin partition and log in as HSM SO.
lunacm:> role login -name so
2.Initiate the iKey change.
lunacm:> role changepw -name so
3.You are prompted to present the original blue key(s) and then to create a new HSM SO keyset. See Creating iKey Using Luna USB HSM 7.
Red HSM Domain iKey
It is not possible to change an HSM's cloning domain without performing a factory reset of the HSM and setting the new cloning domain as part of the standard initialization procedure.
CAUTION! If you set a different cloning domain for the HSM, you cannot restore the HSM Admin partition from backup.
Orange Remote PED Vector iKey
The HSM SO can use this procedure to change the Remote PED Vector (RPV) for the HSM.
To change the RPV/orange key credential
1.In LunaCM, set the active slot to the Admin partition and log in as HSM SO.
lunacm:> role login -name so
2.Initialize the RPV.
lunacm:> ped vector init
You are prompted to create a new Remote iKey.
3.Distribute a copy of the new orange key to the administrator of each Remote PED server.
Blue Partition SO iKey
The Partition SO can use this procedure to change the Partition SO credential.
To change a blue Partition SO iKey credential
1.In LunaCM, log in as Partition SO.
lunacm:> role login -name po
2.Initiate the iKey change.
lunacm:> role changepw -name po
3.You are prompted to present the original blue key(s) and then to create a new Partition SO keyset.
Red Partition Domain iKey
It is not possible to change a partition's cloning domain. A new partition must be created and initialized with the desired domain. The new partition will not have access to any of the original partition's backups. It cannot be made a member of the same HA group as the original.
Black Crypto Officer iKey
The Crypto Officer can use this procedure to change the Crypto Officer credential.
To change a black Crypto Officer iKey credential
1.In LunaCM, log in as Crypto Officer.
lunacm:> role login -name co
2.Initiate the iKey change.
lunacm:> role changepw -name co
3.You are prompted to present the original black key(s) and then to create a new Crypto Officer keyset.
Gray Crypto User iKey
The Crypto User can use this procedure to change the Crypto User credential.
To change a gray Crypto User iKey credential
1.In LunaCM, log in as Crypto User.
lunacm:> role login -name cu
2.Initiate the iKey change.
lunacm:> role changepw -name cu
3.You are prompted to present the original gray key(s) and then to create a new Crypto User keyset.
White Audit User Key
The Audit User can use this procedure to change the Audit User credential.
To change the white Audit User iKey credential
1.In LunaCM, set the active slot to the Admin partition and log in as Auditor.
lunacm:> role login -name au
2.Initiate the iKey change.
lunacm:> role changepw -name au
3.You are prompted to present the original white key(s) and then to create a new Audit User keyset.
