You are here: D - Reference > Capabilities and Policies > Partition Capabilities & Policies

Luna Reference

Partition Capabilities & Policies

Partition Capability Name

Partition Policy Name

Modifiable?

 

Description

 

Enable private key cloning   (CONTAINER_CONFIG_PRIVATE
_KEY_CLONING)

 

Allow private key cloning            

 

depends

 

If this is allowed, the private keys on the partition may be backed up, the HSM Admin can turn this feature on or off. The value of this capability depends on the HSM capability and policy “Enable cloning”. If this is not allowed, private keys on this partition cannot be backed up and the HSM Admin may not change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Enable private key wrapping (CONTAINER_CONFIG_PRIVATE
_KEY_WRAPPING)

 

Allow private key wrapping           

 

depends

 

If this is allowed, private keys on the partition may be wrapped, and the HSM Admin can turn this feature on or off. If not allowed, private keys on the partition may not be wrapped off. This value is always set to Disallowed for all partitions on a Luna HSM.

Enable private key unwrapping   (CONTAINER_CONFIG_PRIVATE
_KEY_UNWRAPPING)

Allow private key unwrapping

 

depends

 

If this is allowed, private keys may be unwrapped onto the partition, and the HSM Admin can turn this feature on or off. If not allowed, private key unwrapping is not available, and the HSM Admin cannot change this.

Enable private key masking   (CONTAINER_CONFIG_PRIVATE
_KEY_MASKING)

Allow private key masking

depends

If this is allowed, keys on the partition can use SIM and the HSM Admin can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. The value of this capability depends on the HSM capability and policy “Enable masking”. If this is not allowed, this partition cannot participate in SIM, and the HSM Admin cannot change this.

Enable secret key cloning (CONTAINER_CONFIG_SECRET
_KEY_CLONING)

Allow secret key cloning

depends

If this is allowed, secret keys on the partition can be backed up, and the HSM Admin can turn this feature on or off. (i.e. the HSM Admin may only wish to turn this feature on immediately before a scheduled backup, and then turn it off again to prevent unauthorized backup.) If this is not allowed, secret keys cannot be backed up, and the HSM Admin cannot change this. Partition backup or partition network replication is allowed for the SafeNet high availability feature.

Enable secret key wrapping   (CONTAINER_CONFIG_SECRET
_KEY_WRAPPING)

Allow secret key wrapping

depends

If this is allowed, secret keys can be wrapped off the partition, and the HSM Admin can turn this feature on or off (i.e. the HSM Admin may wish to not allow secret key wrapping, in which case he/she would set the corresponding policy to “no”). If this is not allowed, the partition does not support secret key wrapping and the HSM Admin cannot change this.

Enable secret key unwrapping (CONTAINER_CONFIG_SECRET
_KEY_UNWRAPPING)

Allow secret key unwrapping

depends

If this is allowed, secret keys can be unwrapped onto the partition, and the HSM Admin can turn this feature on or off. If this is not allowed, the partition does not support secret key unwrapping and the HSM Admin cannot change this.

Enable secret key masking (CONTAINER_CONFIG_SECRET
_KEY_MASKING)

Allow secret key masking

depends

If this is allowed, secret keys on the partition can use SIM, and the HSM Admin can turn this feature on or off. Encryption for this feature uses an AES 256-bit key. If it is not allowed, the partition does not support SIM.

Enable multipurpose keys   (CONTAINER_CONFIG
_MULTIPURPOSE_KEYS)

Allow multipurpose keys

depends

If this is allowed, keys on the partition may be created for multiple purposes such as signing and decrypting, and the HSM Admin can turn this feature on or off. If not allowed, keys created on (or wrapped onto) the partition must be for single function only. (i.e. specify only one function in the attribute template).

Enable changing key attributes   (CONTAINER_CONFIG_CHANGE
_KEY_ATTRIBUTES)

Allow changing key attributes

depends

If this is allowed, non-sensitive attributes of the keys on the partition are modifiable (i.e. the user can change the functions that the key can use), and the HSM Admin has the ability to turn this feature on or off. If not allowed, keys created on the partition cannot be modified.
This policy affects the following "key function attributes":  
CKA_ENCRYPT  
CKA_DECRYPT  
CKA_WRAP  
CKA_UNWRAP  
CKA_SIGN  
CKA_SIGN_RECOVER  
CKA_VERIFY  
CKA_VERIFY_RECOVER  
CKA_DERIVE  
CKA_EXTRACTABLE  
All other attributes are not controlled by this policy.

Enable PED use without challenge   (CONTAINER_CONFIG
_AUTHENTICATION
_WITHOUT_CHALLENGE)

n/a

no

 

If this is allowed, the HSM can use the Luna PED without using a challenge (HSM Partition Password). The corresponding policy is always set to not allowed for Luna HSMs. (i.e. Luna HSM partitions always require HSM Partition Passwords.)

Allow failed challenge responses   (CONTAINER_CONFIG_FAILED
_CHALLENGE_COUNTER)

Ignore failed challenge responses

depends

If this is allowed, failed challenge responses (HSM Partition Passwords) will not increment the counter for X consecutive bad login attempts, and the HSM Admin can turn this feature on or off. If not allowed, failed challenge responses (HSM Partition Passwords) will increment the failed login counter. This capability/policy only pertains to HSMs that use the Luna PED for authentication. (The policy name is slightly different from the capability name – if the policy is on, failed challenges are ignored, which is the same as if the capability is allowed.)

Enable operation without RSA blinding  (CONTAINER_CONFIG
_NO_RSA_BLINDING)

Operate without RSA blinding

depends

 

If this is allowed, the partition may run in a mode that does not use RSA blinding (Blinding is a technique that introduces random elements into the signature process to prevent timing attacks on the RSA private key. Use of this technique may be required by certain security policies, but it does reduce performance.) and the HSM Admin can turn this feature on or off. If disallowed, the partition will always run in RSA blinding mode; performance will be lower than SafeNet published performance. (The policy name is slightly different from the capability name - if the policy is on, RSA blinding is not used, which is the same as if the capability is allowed.)

Enable signing with non-local keys   (CONTAINER_CONFIG
_NONLOCAL_SIGNING_KEYS)

Allow signing with non-local keys

 

depends

 

If this is allowed, keys that have been wrapped onto the partition may be used (trusted) for signing, and the HSM Admin can turn this feature on or off. If moving keys from software to hardware, this capability must be allowed, and the corresponding policy must be set 'on', or the keys will not be able to perform signing. If not allowed, only keys that were created locally (on the hardware) can be used for signing.

Enable raw RSA operations   (CONTAINER_CONFIG
_RAW_RSA_OPERATIONS)

Allow raw RSA operations

 

depends

 

If this is allowed, the partition may allow raw RSA operations (mechanism CKM_RSA_X_509), the HSM Admin can turn this feature on or off. If not allowed, the partition will not support raw RSA operations.

Max failed user logins allowed (CONTAINER_CONFIG_MAX
_FAILED_USER_LOGINS_ALLOWED)

Max failed user logins allowed

 

depends

 

The number in the capability indicates the maximum number of consecutive failed user logins allowed, as set by the partition license. The HSM Admin can set the corresponding policy to a value less than or equal to the capability value. (i.e. if the capability shows 15, the policy can be set to [1-15], although setting it to a really low number is not recommended.)

Enable high availability recovery  (CONTAINER_CONFIG
_HIGH_AVAILABILITY)

Allow high availability recovery

depends

If this is allowed, another partition that is in high availability mode with this partition may be used to restore login state to this partition after power outage or other deactivation, and the HSM Admin may turn this feature on or off. If not allowed, this partition does not support the SafeNet high availability feature.

Enable activation  (CONTAINER_CONFIG_ACTIVATION)

Allow activation

depends

If this is allowed, PED Key data for the partition may be cached so subsequent logins do not require PED Keys, and the HSM Admin may turn this feature on or off. If not allowed (or if the policy is turned off) PED Keys must be presented at each login (whether the call is local or from a client application.) This policy only applies to partitions on HSMs that use the Luna PED for authentication.

Enable auto-activation (CONTAINER_CONFIG
_AUTO_ACTIVATION)

Allow auto-activation

depends

If this is allowed, PED Key data for the partition may be semi-permanently cached to hard disk (encrypted) so that the partition activations status can be maintained after a short power loss, the HSM Admin can turn this feature on or off. If power stays off more than a few minutes, the key that was used to encrypt the data cached to hard disk is no longer valid, so authentication cannot be re-instated. If this capability is not allowed, the partition does not support auto-activation. This policy only applies to partition on HSMs that use the Luna PED for authentication

Minimum pin length (inverted: 255 - min) (CONTAINER_CONFIG
_MINIMUM_PIN_LENGTH)

Minimum pin length (inverted: 255 - min)

yes

The minimum pin length value is determined as follows. Since a policy can only be set to values that are lower (or equal to) the value in a capability, if the min pin length capability was set to 7, the policy could be set to 2, which is a less restrictive policy. This is not acceptable. So, to keep all capabilities consistent, the value of this capability must be interpreted. The formula to use is:
(max pin) - (min pin) = (capability value)
If the minimum pin length capability is set to 248, and the maximum pin length capability is set to 255, the minimum pin is
(255) - (min pin) = 248    --> solving for min pin -->   (min pin) = 255 - 248 --> min pin is --> 7
The administrator can set the policy to select a new, more restrictive minimum pin length. Continuing with the example above, assume the administrator wants to set min pin length to 10 to force better password selection. Solve for policy value in the following formula:
(max pin) - (min pin) = (policy value)  --> substituting -->  255 - 10 = (policy value)  --> solving for policy value --> policy value is 245
To set the minimum pin length to 10, the HSM Admin would change the min pin length policy to 245.
Thus, the HSM Admin would select a number less than the capability (245 is less than 255) to set the minimum pin length to a greater value.

Maximum pin length  
( CONTAINER_CONFIG
_MAXIMUM_PIN_LENGTH)

Maximum pin length

yes

The value here is the maximum value for the pin length. This value is used in calculating the minimum pin length, and the value in the maximum pin length policy always be greater than the value in the minimum pin length policy.

Enable Key Management Functions

Allow Key Management Functions

yes

The HSM Admin or Security Officer can disable access to any key management functions by the user - all users become "Crypto-Users" (the restricted-capability user) even if logged in as "Crypto-Officer".

Enable RSA signing without confirmation

Perform RSA signing without confirmation

yes

The HSM can perform an internal verification (confirmation) of a signing operation, in order to validate the signature. By default, that confirmation is disabled because it has a performance impact on signature operations.

Enable Remote Authentication (*)

Allow Remote Authentication

yes

Controls whether the Remote Authentication features can be used at the Partition level ("partition activate" and "partition restore") on a remote Luna SA.

If this option is switched off but the HSM-level capability is on, then the only Remote Administration tasks that you could perform would be those requiring "hsm login" - no partition-level remote operations. (* Deprecated - Remote Admin and Remote Authentication no longer supported.)

Enable private key unmasking Allow private key unmasking   Remove encryption with AES 256-bit key from
Enable secret key unmasking Allow secret key unmasking   Remove encryption with AES 256-bit key from