Skip to main content

Parameter Descriptions

Partition Security Policy Settings

Key Import

Key import allows/blocks on partition level to import keys in plain or wrapped format, e.g. import of existing subscriber key material or restoration of exported keys.

Possible settings: Allowed / Not allowed

note

It is recommended that key material is generated and hold inside HSM. Certain regulations require “never extractable” keys.

Key Export

Key export allows/blocks on partition level to extract keys in plain or wrapped format, e.g. for backup.

Possible settings: Allowed / Not allowed

note

Exporting keys is a sensitive activity and requires cautious handling. The export and secure external storage of subscriber data is subscriber’s sole responsibility.

Key Invalidation

The key invalidation feature prevents from permanently deleting key objects via API, e.g. accidental deletion. It works as a bin. Key objects deleted via API are marked as invalidated and appear to be deleted to the API but can be restored or deleted permanently by the Security Officer or Partition Administration Security Officer only.

Possible settings: Enabled / Disabled

note

Invalidated key objects still consume partition space and key IDs remain used.

Object Destruction

Object Destruction is only applicable to the REST API and prevents from deletion of key objects via REST calls.

Possible settings: Enabled / Disabled

Client API Access

Enable access to the device key store for client APIs (e.g., JCE, PKCS#11 and MSCNG).

Possible settings: Enabled / Disabled

note

Access to the Client API is enabled by default and can be subsequently modified through the Support Portal, or Decanus Terminal via Partition Administration.

Partition R/O

Read only partition cannot modify keys (no creation or deletion of keys via API).

Possible settings: Enabled / Disabled

note

Read only access to the partition is disabled by default and can be subsequently modified through the Support Portal, or Decanus Terminal via Partition Administration.

Session Objects

Session Object support. Key material is stored outside of HSM encrypted with a per partition key (non-extractable, not accessible).

Possible settings: Enabled / Disabled

Object Usage

This setting controls the availability of secret and private keys. If it is disabled, these keys cannot be accessed or utilized for any cryptographic operations, ensuring they remain secure and inactive.

Possible settings: Enabled / Disabled