Security Mode Descriptions
This section describes the security modes that can be selected from the Security Modes group box in the Set Security Flags – All Devices dialog box.
Set All and Clear All Modes
>Click Set All to set all available security flags.
>Click Clear All to remove all security flags.
FIPS 140 Mode
FIPS 140 Mode refers to the security flag settings required to comply with the Federal Information Processing Standards (FIPS) 140 standard.
It is important to note that the product can function outside the scope of this accreditation. Therefore, ensure that the correct configuration is set if this level of FIPS secure operation is required.
The security mode flags set in FIPS 140 mode are shown in the table below.
Restricted Mode
The Restricted Mode security setting is a compromise between performance and security. If Restricted Mode is selected, then the HSM will require all users to identify themselves before cryptographic services are available. This mode also inhibits any clear PINs or sensitive key material from passing through the HSM’s PCIe bus interface but each individual request to the HSM does not need to be signed.
The security mode flags set in Restricted Mode are shown in the table below.
Security Mode Preconfigured Flag Settings
When the FIPS or Restricted security mode buttons are clicked in the Set Security – All Devices dialog box, the status of the flags is changed as shown in the table below (default values). Those settings marked with an asterisk (*) are mandatory in order to implement the requirements for the mode concerned. Additional flags, marked with a plus (+), can be changed if required. See Security Mode Flag Descriptions.
|
Flag |
FIPS 140 Mode |
Restricted Mode |
|---|---|---|
|
Tamper Before Upgrade. |
Set* |
Cleared+ |
|
No Public Cryptography |
Set* |
Set* |
|
Entrust Compliant |
Cleared* |
Cleared* |
|
No Clear PINs |
Set* |
Set* |
|
Authentication Protection |
Set* |
Cleared* |
|
Lock Security Mode |
Set* |
Set* |
|
Increased Security Mode |
Cleared+ |
Cleared+ |
|
Only Allow FIPS Approved Algorithms. |
Set* |
Cleared* |
|
Full Secure Messaging Encryption |
Cleared+ |
Cleared+ |
|
Full Secure Messaging Signing |
Cleared+ |
Cleared* |
