Open topic with navigation
An iKey 1000
(marked with) and imprinted with a domain secret.
A domain PED Key (the red one) carries the key-cloning vector (the domain identifier) that allows cloning to take place among HSMs and tokens. Cloning is a secure method of copying HSM (or Partition) or token objects, such that they can be replicated between HSMs and tokens, but:
Cloning is the method by which HSM and Partition backup is possible to a Luna Backup HSM, and by which restoring is possible from a Backup HSM or token to a Luna HSM or Partition.
At initialization time, the key-cloning vector is created on the HSM and imprinted onto a red PED Key, or if a desired cloning domain already exists, then the existing key-cloning vector from a red PED Key is read from that PED Key and imprinted on the HSM (or Backup token) as the HSM (or token) is initialized. HSMs and tokens that share a key-cloning vector are said to be members of a cloning domain.
An HSM or token can be a member of only one domain. To make an HSM or token become a member of a second domain, you must initialize the HSM or token and imprint the new key-cloning vector -- the first one is destroyed and the HSM or token is now a member of only the second domain.
To cause a Luna HSM or Partition to be a duplicate or mirror image of another, the procedure is to backup the first HSM or Partition, and then restore from the Backup token onto the new HSM (or Partition).
The "New Domain" Question
When you initialize an HSM, and are prompted for a red PED Key, Luna PED first asks:
If you answer [ No ]:
If you answer [ Yes ]:
Assuming that you responded [ No ], the PED asks additional preparatory questions, then asks you to insert a PED Key (which you should already have labeled with a red sticker). The PED scans the red PED Key for an existing key-cloning vector. If none is found, Luna PED imprints a new one, taken from the HSM, and that same new key-cloning vector is saved onto the HSM.
However, if an existing key-cloning vector (or other secret) is found, Luna PED needs to know whether to retain it. Luna PED asks:
If you answer Yes:
If you answer No:
To What Does a Domain Apply?
Each HSM has a domain that covers any object that can exist in the SO space - this is created at HSM initialization time. Usually objects in the SO area of the HSM are specialized keys used to facilitate HSM operations (example, masking key).
Each partition in an HSM has a domain of its own - this is created when the partition is created/initialized. Partitions contain customer-owned keys used in client operations, as well as data objects.
Objects on a partition can be cloned to another partition (whether on the same HSM or on another HSM) only if both partitions share the same domain.
In the current Luna SA 5.x sense, one domain is like another [ there is nothing special about one firmware 6 domain versus another firmware 6 domain] and could be applied to any partition or HSM SO space. Only your security and management policies dictate how you share domains. You can segregate HSMs and partitions into clonable groups. Cloning can occur among any/all members of a group that share a domain. Cloning cannot occur between members of two different domain groups.
Any HSM SO space can have only one domain, assigned at initialization time.
Any partition can have only one domain, assigned at partition creation time. It is not possible for a partition or an SO space to be a member of more than one domain. It is possible for different partitions on the same HSM to be members of mutually exclusive domains.
There is no limit to the number of partitions or HSMs that can share a common domain.
What about Legacy HSMs and Partitions?
HSMs before the K6 (the HSM inside Luna SA) and G5 (the HSM for PKI with Luna SA, and the core of the Luna Backup HSM) - legacy HSMs - used an older, smaller domain secret, which is incompatible with current HSMs.
Cloning of objects between Luna HSMs requires a shared domain.
To provide a one-way migration path to move HSM objects from legacy HSMs to modern HSMs, a command partition setLegacyDomain allows an old-style domain to be linked to a new-style domain on a K6 or G5 HSM.
Give Me The One-Sentence Summary
If you can account for all the HSMs to which you have presented your red Domain PED Key (meaning that you have maintained strict control of that red PED Key), then you know with certainty that nobody else could possibly have a copy of the sensitive keys that were created on your HSMs or partitions, or cloned to those HSMs or partitions.
Open topic with navigation