HSM Capabilities and Policies

The Luna USB HSM 7 can be configured to suit the cryptographic needs of your organization. Configurable functions are governed by the following settings:

>HSM Capabilities are features of HSM functionality, set at time of manufacture. Some capabilities have corresponding modifiable HSM policies.

>HSM Policies are configurable settings that allow the HSM Security Officer to modify the function of their corresponding capabilities. Some policies affect HSM-wide functionality, and others allow further customization of application partitions by the Partition Security Officer.

The table below describes all Luna USB HSM 7 capabilities, their corresponding policies, and the results of changing their settings. This section contains the following procedures:

>Setting HSM Policies Manually

>Setting HSM Policies Using a Template

To zeroize the HSM and revert policies to their default values, see Zeroizing or Resetting the HSM to Factory Conditions.

To zeroize the HSM and keep the existing policy settings, use lunacm:> hsm zeroize.

Destructive Policies

Some policies affect the security of the HSM. As a security measure, changing these policies results in application partitions or the entire HSM being zeroized. These policies are listed below as destructive.

# HSM Capability HSM Policy
0

Enable PIN-based authentication

Always 1. The HSM can authenticate users with keyboard-entered passwords.

PIN-based authentication

Displays 1 if you chose password authentication at the time of HSM initialization.

1

Enable PED-based authentication

Always 1. The HSM can authenticate users with secrets stored on physical iKeys (multifactor quorum authentication) inserted into the Luna USB HSM 7. The Crypto Officer and Crypto User roles may also be configured with a secondary, keyboard-entered challenge secret.

PED-based authentication

Displays 1 if you chose multifactor quorum authentication at the time of HSM initialization.

2

Performance level

This value is standard on all Luna USB HSM 7s.

N/A
4

Enable domestic mechanisms & key sizes

Always 1. All Luna USB HSM 7s are capable of full-strength cryptography with no US export restrictions.

N/A

6

Enable masking

Always 1.

Allow Masking

7

Enable cloning

Always 1. All current Luna USB HSM 7s have the ability to clone cryptographic objects from one partition to another.

Allow cloning

Destructive

>1 (default): The HSM may clone cryptographic objects from one partition to another sharing the same cloning domain. This is required to back up partitions. The Partition SO can enable/disable cloning on individual partitions.

>0: The application partition may not clone cryptographic objects. The Partition SO cannot change this.

9

Enable full (non-backup) functionality

Always 1. The Luna USB HSM 7 is capable of full cryptographic functions.

N/A

12

Enable non-FIPS algorithms

Always 1. The HSM can use all cryptographic algorithms described in Supported Mechanisms.

Allow non-FIPS algorithms

Destructive

>1 (default): The HSM may use all available cryptographic algorithms, meaning all the FIPS-approved algorithms as well as non-FIPS algorithms.

>0: Only algorithms sanctioned by the FIPS 140-2 standard are permitted. Some of these algorithms will have certain operations restricted; refer to your firmware version in Supported Mechanisms for more information.

15

Enable SO reset of partition PIN

Always 1. This capability enables:

>the Partition SO to reset the password or iKey secret of the Crypto Officer.

>the Crypto Officer to reset the password or iKey secret of the Crypto User.

SO can reset partition PIN

Destructive

>1: Partition SO may reset the password or iKey secret of a Crypto Officer who has been locked out after too many failed login attempts.

>0 (default): The CO lockout is permanent and the partition contents are no longer accessible. The partition must be re-initialized, and key material restored from a backup device.

See Resetting the Crypto Officer or Crypto User Credential.

16

Enable network replication

Always 1. This capability enables cloning of cryptographic objects over a network. This is required for partition backup to a remote Luna Backup HSM.

Allow network replication

>1 (default): Cloning of cryptographic objects is permitted over a network. Remote backup is allowed.

>0: Cloning over a network is not permitted. Partition backup is possible to a locally-connected Luna Backup HSM only.

17

Enable Korean Algorithms

Always 0. The Korea-specific algorithm set is not currently available for Luna USB HSM 7.

N/A

19

Manufacturing Token

Always 0. For Thales internal use only.

N/A

21

Enable forcing user PIN change

Always 1. This capability forces the Crypto Officer or Crypto User to change the initial role credential created by the Partition SO.

Force user PIN change after set/reset

>1 (default): After the Partition SO initializes or resets the Crypto Officer credential, the CO must change the credential before any other actions are permitted. This also applies when the CO initializes/resets the Crypto User role. This policy is intended to enforce the separation of roles on the partition.

>0: The CO/CU may continue to use the credential assigned by the Partition SO.

See Changing a Role Credential.

22

Enable offboard storage

Always 1.

Allow offboard storage

Destructive

Deprecated policy. On previous HSMs, this policy allowed or disallowed the use of the portable SIM key.

Default: 1

23

Enable partition groups

Always 0 - deprecated capability.

N/A

25

Enable Remote PED usage

Always 1.

Allow Remote PED usage

>1 (default): When initialized for multifactor quorum authentication, the HSM may authenticate roles using a remotely-located Luna PED server.

>0: The HSM can authenticate roles by connecting iKeys directly to the Luna USB HSM 7 only.

27

HSM non-volatile storage space

Displays the maximum non-volatile storage space (in bytes) on the HSM.

N/A

30

Enable Unmasking

Always 1. This capability enables migration from legacy Luna HSMs that used SIM.

Allow unmasking

>1 (default): Cryptographic objects may be migrated from legacy Luna HSMs that used SIM.

>0: Migration from legacy HSMs using SIM is not possible.

33

Maximum number of partitions

Always 1. Displays the maximum number of application partitions that can be created on the Luna USB HSM 7.

Current maximum number of partitions

N/A

35

Enable Single Domain

Always 0. Not applicable to Luna USB HSM 7.

N/A

36

Enable Unified PED Key

Always 0. Not applicable to Luna USB HSM 7.

N/A

37

Enable MofN

Always 1.

Allow MofN

>1 (default): During iKey creation, you have the option to require a quorum to authenticate the role, by splitting the role secret among multiple iKeys. See M of N Split Secrets (Quorum).

>0: Users do not have the option to split role secrets (M and N are automatically set to 1).

38

Enable small form factor backup/restore

Always 0. Not applicable to Luna USB HSM 7.

N/A

40

Enable decommission on tamper

Always 0. Not applicable to Luna USB HSM 7.

N/A

42

Enable partition re-initialize

Always 0. Not applicable to Luna USB HSM 7.

N/A

43

Enable low level math acceleration

Always 1. This capability enables acceleration of cryptographic functionality for maximum HSM performance.

N/A

46

Allow Disabling Decommission

Always 0. Not applicable to Luna USB HSM 7.

N/A
48

Enable Controlled Tamper Recovery

Always 0. Not applicable to Luna USB HSM 7.

N/A
49

Enable Partition Utilization Metrics

Always 1. This capability enables the HSM SO to view (or export to a named file) counters that record how many times specific cryptographic operations have been performed in the application partition since the last counter-reset event.

Allow Partition Utilization Metrics

>1: The HSM SO can view Partition Utilization Metrics.

>0 (default): Partition Utilization Metrics are not available.

See Partition Utilization Metrics for more information.

50

Enable Functionality Modules

Always 0. Not applicable to Luna USB HSM 7.

N/A
51

Enable SMFS Auto Activation

Always 0. Not applicable to Luna USB HSM 7.

N/A
52

Allow Restricting FM Privilege Level

Always 0. Not applicable to Luna USB HSM 7.

N/A
53

Allow Encrypting of Keys from FM to HSM

Always 0. Not applicable to Luna USB HSM 7.

N/A
55

Enable Restricted Restore

Always 0. Not applicable to Luna USB HSM 7.

N/A
56

Enable User Defined ECC Curves

Always 1. The HSM can use prime and binary curves, specified in Weierstrauss form. Has implications for FIPS use.

Allow User Defined ECC Curves

Destructive