Capabilities and Policies

Capabilities are factory settings that determine the broad capacity and performance parameters of your Luna HSM. Some are fixed. Some are adjustable.

Policies are the means by which adjustable capabilities can be modified.


HSM capabilities and policies apply to the entire Luna HSM. Partition capabilities and policies apply to individual HSM Partitions (sub-divisions with the overall HSM).

There are two kinds of HSM capabilities. Some are determined at time of manufacturing and cannot be changed - for these capabilities there are no corresponding policies. For others, the HSM Admin or Security Officer can change the HSM Policies to be more restrictive than the given HSM Capability.

A Policy can never set a condition to be less restrictive than the corresponding Capability. By default, policies are set to the same value as the capabilities. So if a capability allows something (such as masking), the corresponding HSM policy is set to “On”, by default. If a capability is "Off" or disallowed, then you cannot switch it on by means of a policy.


Most Partition capabilities have corresponding policies that the HSM Admin or SO can set to customize the behavior of individual partitions.

HSMs come from the factory as either password authenticated or PED authenticated, and that cannot be changed. However, both types need passwords.

A partition password is always required when a partition is created (partition create -partition <partitionname>).

Partition capabilities are determined by the license. Your Luna appliance is licensed with X-many partitions of a certain type, with all those partitions having the same capability settings. The HSM Admin can make the partitions all behave differently by turning on and off various policy settings on each partition. By default policies are set to the same value as the capabilities, so if the capability allows something, the corresponding policy will be on when the partition is created.

Some capability descriptions (partition and HSM) are worded in a seemingly awkward or unnatural way. This is because policies can be set only to be more restrictive than the corresponding capability.


