Partition Policies
Primus HSM has both a device-wide "Security Configuration" and per-partition "User Security Configurations". These security configurations allow defining a policy of which operations are allowed or not allowed on the partition. This is useful because it enables flexibility and fine-grained control.
Changing the Security Configuration requires 2-of-n (Partition) Security Officers (PSO/SO). This ensures that any changes are approved by multiple operators.
The term "User Security Configuration" comes from the fact that from the point of view of the HSM, "Partitions" are sometimes called "Users". This is not to be confused with applications making API requests to the HSM and "using" the keystore.
Default Values
The default values on CloudHSM (especially on SBX and ECO) differ from the default values of an on-premise Primus HSM. For details, see the "Partition Settings" section of your CloudHSM package.
Additionally, the default values are selectable upon ordering a CloudHSM service.
Modifying the User Security Configuration
In CloudHSM, there are two ways to modify the User Security Configuration of your Partition:
- Raise a ticket on the Support Portal, requesting the change. The Security Officers (SOs) from Securosys will make the change on your behalf. This may be subject to a cost, and may take a few days.
- Onboard your own Partition Security Officers (PSO) to your Partition.
- This requires a one-time setup of Partition Administration. It also requires the purchase of a Decanus Terminal.
- Afterwards, your PSOs can make changes to your Partition's Security Configuration at any time, giving you full control.
Available Options
The list below describes the most important options that are available in the User Security Configuration. For full details, see Section 4.6.3 "User Security" of the Primus HSM User Guide. All of these options can be either "enabled" or "disabled".
Key Import
Key Import allows/blocks the import of keys in plain or wrapped format, e.g. import of existing subscriber key material or restoration of exported keys.
It is recommended that key material is generated and held inside the HSM. Certain regulations require “never extractable” keys.
Key Export
Key Export allows/blocks the extraction of keys in plain or wrapped format, e.g. for backup.
Exporting keys is a sensitive activity and requires cautious handling. The export and secure external storage of subscriber data is the subscriber’s sole responsibility.
Key Invalidation
The Key Invalidation feature prevents from permanently deleting key objects via the API (accidental deletion). Key Invalidation is a form of "trash bin". Keys and objects deleted via the API are marked as invalidated and appear to be deleted to the API. They can be restored or deleted permanently by the Security Officer or Partition Administration Security Officer.
Invalidated key objects still consume partition space, and the key IDs and key labels remain used until the objects are permanently deleted by a PSO or SO.
Partition Read-Only
When a partition is marked as read-only, the APIs (JCE, REST, PKCS#11, ...) allow using keys (such as signing and decrypting) but do not allow changing keys (such as creation, deletion, attribute modification).
Session Objects
Session Objects are ephemeral keys that are kept in-memory for the duration of a client session, and are not stored persistently on the HSM.
Optionally, Session Objects can be exported and stored outside of the HSM. The export is encrypted with a per-partition key that is internal to the HSM, not accessible, and non-extractable. Therefore, such an export can only ever be imported again as a Session Object on the same partition.
Object Destruction
Object Destruction allows or prevents from deletion via API calls. If disabled, keys cannot be deleted (delete will always fail).
Object Usage
The Object Usage setting controls the availability of secret and private keys. If it is disabled, these keys cannot be used for any cryptographic operations (such as sign, verify, encrypt, decrypt, derive).
Note that this is different from Partition Read-Only (which does not block key usage).
Wrap and unwrap are controlled by key import and export settings and not part of Object Usage.
Client API Access
Client API Access enables access to the key store via the client APIs (REST, JCE, PKCS#11, ...). Disabling it cuts off all applications that are connected to the partition.
This also cuts off access by the Partition Administration application via the Decanus Terminal! This means that if you disable Client API Access as a PSO, only the Device SO can re-enable it. In CloudHSM, the Device SO is held by Securosys.