Topic
  • 3 replies
  • Latest Post - ‏2012-05-30T13:15:28Z by RCW
johne70
johne70
2 Posts

Pinned topic HSM Help how is it initialised

‏2012-05-30T08:22:57Z |
Hi,

I'm trying to initialise the HSM on a XS40 device. I can see lots of talk around FIPS 140 level 2, level 3 and the use of a PED device on initialisation.

Do we have to use a PED device? Is there another FIPS level that could be used, without using the PED which could be done remotely?

Thanks in advance

John
Updated on 2012-05-30T13:15:28Z at 2012-05-30T13:15:28Z by RCW
  • RCW
    RCW
    232 Posts

    Re: HSM Help how is it initialised

    ‏2012-05-30T08:42:23Z  
    Hello John,

    We have published an FAQ on the HSM: FAQ

    When using FIPS Level 2 no PED is required. Only FIPS Level 3 requires the PED (also if you want to get out of level 3 mode you will require it).

    Hope this helps.
    Rolf
  • johne70
    johne70
    2 Posts

    Re: HSM Help how is it initialised

    ‏2012-05-30T10:33:21Z  
    • RCW
    • ‏2012-05-30T08:42:23Z
    Hello John,

    We have published an FAQ on the HSM: FAQ

    When using FIPS Level 2 no PED is required. Only FIPS Level 3 requires the PED (also if you want to get out of level 3 mode you will require it).

    Hope this helps.
    Rolf
    Thanks Rolf, I read in one of the DataPower guides that a PED was required when initialising the HSM, whether in FIPS L2 or L3.

    So is this not the case, if I use FIPS level 2 when initialising the HSM I don't need the PED at all not even for a for a once only activity?

    Does this mean no keys are stored on a PED key/card and if done at level 2 can be done remotely?

    Thanks

    John
  • RCW
    RCW
    232 Posts

    Re: HSM Help how is it initialised

    ‏2012-05-30T13:15:28Z  
    • johne70
    • ‏2012-05-30T10:33:21Z
    Thanks Rolf, I read in one of the DataPower guides that a PED was required when initialising the HSM, whether in FIPS L2 or L3.

    So is this not the case, if I use FIPS level 2 when initialising the HSM I don't need the PED at all not even for a for a once only activity?

    Does this mean no keys are stored on a PED key/card and if done at level 2 can be done remotely?

    Thanks

    John
    The PED is only needed when initializing the HSM with FIPS-Level 3 or when moving off from Level 3.

    I have no PED attached on this device and can reinit it without any issues:
    xi50(config-crypto)# hsm-reinit fips-level 2

    WARNING - all private keys in the HSM will be destroyed at next firmware reload.
    Do you want to continue ('yes' or 'no'):yes
    HSM will be reinitialized at next firmware reload.

    When using Level 2 you do not need the PED or keys coming with the PED. The HSM Guide is pretty helpful setting up the HSM and understanding how the keys are handled.

    Hope that helps.