HSM Capabilities and Policies
The Luna USB HSM 7 can be configured to suit the cryptographic needs of your organization. Configurable functions are governed by the following settings:
>HSM Capabilities are features of HSM functionality, set at time of manufacture. Some capabilities have corresponding modifiable HSM policies.
>HSM Policies are configurable settings that allow the HSM Security Officer to modify the function of their corresponding capabilities. Some policies affect HSM-wide functionality, and others allow further customization of application partitions by the Partition Security Officer.
The table below describes all Luna USB HSM 7 capabilities, their corresponding policies, and the results of changing their settings. This section contains the following procedures:
>Setting HSM Policies Manually
>Setting HSM Policies Using a Template
To zeroize the HSM and revert policies to their default values, see Zeroizing or Resetting the HSM to Factory Conditions.
To zeroize the HSM and keep the existing policy settings, use lunacm:> hsm zeroize.
Destructive Policies
Some policies affect the security of the HSM. As a security measure, changing these policies results in application partitions or the entire HSM being zeroized. These policies are listed below as destructive.
| # | HSM Capability | HSM Policy |
|---|---|---|
| 0 |
Enable PIN-based authentication Always 1. The HSM can authenticate users with keyboard-entered passwords. |
PIN-based authentication Displays 1 if you chose password authentication at the time of HSM initialization. |
| 1 |
Enable PED-based authentication Always 1. The HSM can authenticate users with secrets stored on physical iKeys (multifactor quorum authentication) inserted into the Luna USB HSM 7. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret. |
PED-based authentication Displays 1 if you chose multifactor quorum authentication at the time of HSM initialization. |
| 2 |
Performance level This value is standard on all Luna USB HSM 7s. |
N/A |
| 4 |
Enable domestic mechanisms & key sizes Always 1. All Luna USB HSM 7s are capable of full-strength cryptography with no US export restrictions. |
N/A |
|
6 |
Enable masking Always 1. |
Allow Masking |
|
7 |
Enable cloning Always 1. All current Luna USB HSM 7s have the ability to clone cryptographic objects from one partition to another. |
Destructive >1 (default): The HSM may clone cryptographic objects from one partition to another sharing the same cloning domain. This is required to back up partitions. The Partition SO can enable/disable cloning on individual partitions. >0: The application partition may not clone cryptographic objects. The Partition SO cannot change this. |
|
9 |
Enable full (non-backup) functionality Always 1. The Luna USB HSM 7 is capable of full cryptographic functions. |
N/A |
|
12 |
Enable non-FIPS algorithms Always 1. The HSM can use all cryptographic algorithms described in Supported Mechanisms. |
Destructive >1 (default): The HSM may use all available cryptographic algorithms, meaning all the FIPS-approved algorithms as well as non-FIPS algorithms. >0: Only algorithms sanctioned by the FIPS 140-2 standard are permitted. Some of these algorithms will have certain operations restricted; refer to your firmware version in Supported Mechanisms for more information. |
|
15 |
Enable SO reset of partition PIN Always 1. This capability enables: >the Partition SO to reset the password or iKey secret of the Crypto Officer. >the Crypto Officer to reset the password or iKey secret of the Crypto User. |
Destructive >1: Partition SO may reset the password or iKey secret of a Crypto Officer who has been locked out after too many failed login attempts. >0 (default): The CO lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device. |
|
16 |
Enable network replication Always 1. This capability enables cloning of cryptographic objects over a network. This is required for partition backup to a remote Luna Backup HSM. |
>1 (default): Cloning of cryptographic objects is permitted over a network. Remote backup is allowed. >0: Cloning over a network is not permitted. Partition backup is possible to a locally-connected Luna Backup HSM only. |
|
17 |
Enable Korean Algorithms Always 0. The Korea-specific algorithm set is not currently available for Luna USB HSM 7. |
N/A |
|
19 |
Manufacturing Token Always 0. For Thales internal use only. |
N/A |
|
21 |
Enable forcing user PIN change Always 1. This capability forces the Crypto Officer or Crypto User to change the initial role credential created by the Partition SO. |
Force user PIN change after set/reset >1 (default): After the Partition SO initializes or resets the Crypto Officer credential, the CO must change the credential before any other actions are permitted. This also applies when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition. >0: The CO/CU may continue to use the credential assigned by the Partition SO. |
|
22 |
Enable offboard storage Always 1. |
Allow offboard storage Destructive Deprecated policy. On previous HSMs, this policy allowed or disallowed the use of the portable SIM key. Default: 1 |
|
23 |
Enable partition groups Always 0 - deprecated capability. |
N/A |
|
25 |
Enable Remote PED usage Always 1. |
>1 (default): When initialized for multifactor quorum authentication, the HSM may authenticate roles using a remotely-located Luna PED server. >0: The HSM can authenticate roles by connecting iKeys directly to the Luna USB HSM 7 only. |
|
27 |
HSM non-volatile storage space Displays the maximum non-volatile storage space (in bytes) on the HSM. |
N/A |
|
30 |
Enable Unmasking Always 1. This capability enables migration from legacy Luna HSMs that used SIM. |
>1 (default): Cryptographic objects may be migrated from legacy Luna HSMs that used SIM. >0: Migration from legacy HSMs using SIM is not possible. |
|
33 |
Maximum number of partitions Always 1. Displays the maximum number of application partitions that can be created on the Luna USB HSM 7. |
Current maximum number of partitions N/A |
|
35 |
Enable Single Domain Always 0. Not applicable to Luna USB HSM 7. |
N/A |
|
36 |
Enable Unified PED Key Always 0. Not applicable to Luna USB HSM 7. |
N/A |
|
37 |
Enable MofN Always 1. |
>1 (default): During iKey creation, you have the option to require a quorum to authenticate the role, by splitting the role secret among multiple iKeys. See M of N Split Secrets (Quorum). >0: Users do not have the option to split role secrets (M and N are automatically set to 1). |
|
38 |
Enable small form factor backup/restore Always 0. Not applicable to Luna USB HSM 7. |
N/A |
|
40 |
Enable decommission on tamper Always 0. Not applicable to Luna USB HSM 7. |
N/A |
|
42 |
Enable partition re-initialize Always 0. Not applicable to Luna USB HSM 7. |
N/A |
|
43 |
Enable low level math acceleration Always 1. This capability enables acceleration of cryptographic functionality for maximum HSM performance. |
N/A |
|
46 |
Allow Disabling Decommission Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 48 |
Enable Controlled Tamper Recovery Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 49 |
Enable Partition Utilization Metrics Always 1. This capability enables the HSM SO to view (or export to a named file) counters that record how many times specific cryptographic operations have been performed in the application partition since the last counter-reset event. |
Allow Partition Utilization Metrics >1: The HSM SO can view Partition Utilization Metrics. >0 (default): Partition Utilization Metrics are not available. See Partition Utilization Metrics for more information. |
| 50 |
Enable Functionality Modules Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 51 |
Enable SMFS Auto Activation Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 52 |
Allow Restricting FM Privilege Level Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 53 |
Allow Encrypting of Keys from FM to HSM Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 55 |
Enable Restricted Restore Always 0. Not applicable to Luna USB HSM 7. |
N/A |
| 56 |
Enable User Defined ECC Curves Always 1. The HSM can use prime and binary curves, specified in Weierstrauss form. Has implications for FIPS use. |
Allow User Defined ECC Curves Destructive |
