Primus HSM - Operation Modes
The Primus HSM supports multiple operation modes (Normal, FIPS, Common Criteria). The desired mode is chosen during the initial setup wizard while the device is in its factory state. This choice is permanent and can only be changed by performing a full factory reset.
The selected operation mode can be verified in the device diagnostics. Additionally compliance of a single Partition can be indicated. See Diagnostics - Firmware for more information.
Normal Mode
The standard mode of operation is the Normal mode. This enables the full set of functionalities and licensed features.
FIPS Mode
The device can be set in FIPS mode, which is a FIPS compliant restricted mode, reducing the algorithms and services to the set defined in the “FIPS Non-Proprietary Security Policy”.
FIPS mode has the following implications:
- Only FIPS approved algorithms are available, which may limit key sizes and functions
- Only FIPS approved DRNG is used
- TLS not allowed for system/security log streaming
- Restore of backups from devices not in FIPS mode is not allowed
Leaving FIPS mode requires a factory reset to bring the device to factory state and thus all stored key material is permanently erased.
For the details of the FIPS mode, please consult the FIPS Proprietary Security Policy of the Primus HSM. Especially for strict FIPS compliance a FIPS validated firmware must be installed.
It is possible to operate the Primus HSM in FIPS mode with any firmware version. While this makes the device adhere to strict FIPS rules, it doesn’t formally make the device compliant.
Common Criteria Compliant Operation
To ensure operation of the device in compliance with the evaluated Common Criteria (CC), choose either Normal or FIPS mode of operation and assure that the conditions outlined in the corresponding Primus HSM User Guide Appendix 14.1 are met.
Choosing FIPS mode will enforce some additional restrictions, particularly on available key sizes, cryptographic algorithms, and functions.