Primus HSM - Overview of Roles
Primus HSM provides different roles that need to be initialized and setup. The table below shows the roles, their authentication means and corresponding permissions.
| Role | Authentication | Role Permissions |
|---|---|---|
| Genesis | Genesis Card (blue)1 with associated Genesis PIN (one-time definable during initialization), linked to specific device. Threshold: 1-of-n copies | Initial setup of KEK, Create Security Officer Role Digital Seal Backup/Restore, Factory Reset |
| Security Officer (SO) | Several SO Cards (red) with associated PINs (chosen and can be changed). Threshold: m-of-n (m=2..5, n=2..10) | User Management (e.g. create/delete User) Configuration, Firmware Update Backup, Cloning |
| Partition Security Officer (PSO) | Partition SO Card(s) (green) with associated PIN (chosen and can be changed); initialized and used via Decanus Terminal only. Threshold: 1,2-of-n (n=max. 10) | User Management via Decanus Terminal (e.g. change setup password, change user security configuration) |
| Partition Auditor (PAU) | Partition Auditor Card(s) (grey) with associated PIN (chosen and can be changed); initialized and used via Decanus Terminal only. Threshold: 1,2-of-n (n=max. 10) | Read only of Partition configuration, diagnostics and logs. |
| User (Partition) | Username Password | JCA/JCE, PKCS#11, MSCNG Login Key Management User features (create keys, sign, encrypt) |
| Device access | Display protection password | Network Configuration, Logs, Diagnostics, Alerts, Reboot, Power Off |
Role assignments and removals are events that are need to be logged.
Genesis
The Genesis Role is required for the initial setup of the device and ensures that only the legitimate owner can set up the device. This role is uniquely bound to the hardware and cannot be transferred to another unit.
During the initial setup wizard, the Genesis PIN is defined using the Activation Code, unless it has already been delivered in a sealed letter. The PIN can only be set once and can never be changed or reset afterward. The Genesis Role is used to generate the Key Encryption Key (KEK) and establish the Security Officer (SO)
Beyond initial setup, the Genesis Role is used for critical functions, including:
- Performing a factory reset after zeroization or tamper events
- Verifying and setting the Digital Seal
- Managing Security Officers
- Performing backup and restore operations
- Pairing the HSM with Decanus
The Genesis Card is essential: without it, the HSM cannot be initialized or restored from a factory reset. To ensure business continuity, it is strongly recommended to create a copy of the original Genesis Card as a failsafe in case the original is lost or damaged.
Additional Genesis cards can be purchased. Please contact us for more details.
Security Officer (SO)
The Security Officer (SO) role authorizes access to all security-related functions and settings of the Primus HSM.
SO activation is based on a quorum scheme.
Each SO is issued a personal SO Card with its own PIN,
and role activation requires a minimum number of cards (m) out of the total created (N).
For example, with m=2 and N=4, any two of the four SOs need be present to activate the role.
This m-of-N model enforces the four-eyes principle and ensures no single person can perform critical operations alone.
By default, the quorum is set to 2-of-10.
The HSM requires the SO activation whenever a sensitive management operation is performed, such as device configuration or creation of Users. These operations include:
- Configuring the Device Security
- Configuring the Users
- Obtaining sensitive diagnostics
- Extracting Device logs
- Backup and Cloning operations
- Firmware and license management
- and more
Each SO Card must be uniquely assigned to an operator and should carry a personal identifier, which is recorded in the audit logs. SO cards and their corresponding PINs must be stored securely, kept separate from each other, and never shared. Duties of an SO operator include safeguarding the card and PIN, avoiding misuse of the role, and ensuring proper handover if the role is revoked.
Management options for the SO role include:
- Create Additional SOs
- Administer SO Credentials
- Copy SO Cards allowing to create an identical copy of the SO Card without increasing the total number of SOs.
- Delete SO
Creation and modification of Master SOs is synchronized across the HA cluster. To maintain business continuity, it is recommended to create more SOs than the minimum quorum (m), ensuring redundancy in case of absence, card loss, or damage.
For some sensitive operations require both the SO and Genesis roles to authenticate.
Additional SO cards can be purchased. Please contact us for more details.
Partition Security Officer (PSO)
Primus HSM supports remote Partition Administration through a dedicated Partition SO (PSO) role, using the Decanus Terminal (Partition Administration application)
A new PSO must be paired via the Decanus Terminal in Partition Administration mode using a Management Password. Upon successful pairing the permanent Management Secret share is retrieved and stored on the PSO Card(s).
The Partition SO role can perform the following operations:
- Administrating PSO login credentials
- Administrating User Credentials
- Control over the Partition configuration
- Partition Backup and Restore
- Managing invalidated keys
- Obtaining User Diagnostics
Security Officer (SO) access may be revoked by the PSO, whereby the PSO assumes full responsibility for the Partition administration.
Partition Auditor (PAU)
The Partition Auditor (PAU) role provides read-only access to a specific Partition of the Primus HSM. It allows auditors to remotely inspect Partition status, diagnostics, audit logs, and configuration data using the Decanus Terminal in Partition Administration mode. The role works in a similar way to the Partition Security Officer (PSO) but with restricted permissions (read-only), ensuring that auditors cannot make changes to the Partition.
A new Partition Auditor must be paired via the Decanus Terminal in Partition Administration mode using a one-time Audit Password. After successful pairing, a permanent Audit Secret is retrieved and securely stored on the PAU Card(s).
User (Partition)
A User is a dedicated Partition within the Primus HSM, each with its own cryptographic storage and configuration. Users can only access their own keys and certificates. The number of Users depends on the HSM model and license.
The User Client often referred to as "provider software" integrates into a business application and runs on the same server, connecting to the Primus HSM over the network. User Client operations are performed via supported APIs. To use a specific API, it must be licensed and activated in the HSM.
List of Primus HSM Supported APIs.
User Creation
Creating Users is done by Security Officers (SOs) on the Master HSM. Once created, the User client (typically a client application) can access the HSM remotely over the network using their assigned username and permanent User Secret. The permanent User Secret is initially retrieved over a secure channel, using a temporary setup password provided for the onboarding process.
Each User can generate cryptographic keys and perform operations using those keys, but only within their own Partition. No other User has access to the keys or data in a Partition.
The User Client has access to the following capabilities:
- Key generation, import, and deletion
- Data signing and signature verification
- Data encryption and decryption
- Key wrapping and unwrapping
- Random data generation and import
Creation and modification of Users, their content and their configuration are synchronized within the HA cluster.
Managing the User
The following functions can be used to manage the User (Partition):
- Create User; Depending on license, multiple Users can be created.
- Delete User; Deletes all objects in the User’s Partition.
- New Setup Password; Required to initialize a new User Client that does not yet know the permanent User Secret. Issuing a new Setup Password does not affect the permanent User Secret.
- New permanent User Secret; Allows for rotation or revocation of a fetched permanent User Secret.
- User Configuration; Security parameters can be customized for individual Users to override device-wide security settings.
Footnotes
-
Only possible to be initialized once. ↩