Partition Policies
Partition Security Policy Settings
Key Import
Key Import allows/blocks on partition level to import keys in plain or wrapped format, e.g. import of existing subscriber key material or restoration of exported keys.
Possible settings: Allowed / Not allowed
It is recommended that key material is generated and hold inside HSM. Certain regulations require “never extractable” keys.
Key Export
Key Export allows/blocks on partition level to extract keys in plain or wrapped format, e.g. for backup.
Possible settings: Allowed / Not allowed
Exporting keys is a sensitive activity and requires cautious handling. The export and secure external storage of subscriber data is subscriber’s sole responsibility.
Key Invalidation
The Key Invalidation feature prevents from permanently deleting key objects via API, e.g. accidental deletion. It works as a bin. Key objects deleted via API are marked as invalidated and appear to be deleted to the API but can be restored or deleted permanently by the Security Officer or Partition Administration Security Officer only.
Possible settings: Enabled / Disabled
Invalidated key objects still consume partition space and key IDs remain used.
Partition Read-Only
Read-only partition only allow usage of keys via API (no creation, modification, or deletion of keys via API).
Possible settings: Enabled / Disabled
Read only access to the partition is disabled by default and can be subsequently modified through the Support Portal, or Decanus Terminal via Partition Administration.
Session Objects
Support of Session Objects. Ephemeral keys are used outside of HSM, encrypted with a per partition key (non-extractable, not accessible) and deleted at the end of the client session. These keys are not stored persistently on the HSM cluster.
Possible settings: Enabled / Disabled
Object Destruction
Object Destruction allows or prevents from deletion via API calls. IF set to disabled (false), keys cannot be deleted (delete will always fail).
Possible settings: Enabled / Disabled
Object Usage
The Object Usage setting controls the availability of secret and private keys. If it is disabled, these keys cannot be accessed or utilized for any cryptographic operations, ensuring they remain secure and inactive.
Possible settings: Enabled / Disabled
Cryptographic operations are sign, verify, encrypt, decrypt, derive.
Wrap and unwrap are controlled by key import and export settings and not considered cryptographic operations..
Client API Access
The setting Client API Access enables access to the device key store for all client APIs (e.g., JCE, PKCS#11 and MSCNG).
Possible settings: Enabled / Disabled
Access to the Client API is enabled by default and can be subsequently modified through the Support Portal, or Decanus Terminal via Partition Administration to take the partition offline.