License

Introduction

As of version 6.0.0.0, HSM operates using a licensing mechanism.

Licenses enable certain HSM capabilities, classified into the following types:

functionality (enabling specialist modules such as Pix, Blockchain etc);
quantitative (number of keys, number of connections, etc.);
performance (transactions per second).

The HSM is shipped from the factory without installed licenses. In the process of installing and activating the HSM, the operator must upload the licenses received.

Licenses are usually issued by HSM serial number. They are physically files with a .lpack extension, encrypted and digitally signed, and are sent to the customer in a separate channel (usually by e-mail) to the persons established in the contract or at the delivery stage.

Before installing the license, the HSM has a fairly restricted operation; enough for an operator connection and the loading of the license. Activation is immediate, there is no need to reboot or stop the service for a valid license to be recognized. The process is done via the remote GUI console (via browser), so the HSM must already have the network settings ready and the service started.

In terms of scope, licenses can be of the following types:

OEM: only the manufacturer can remove or change (they are prefixed with @);
Regular: the operator can remove the license via the console (they are prefixed with +).

Licenses can be valid for any length of time:

perpetual;
with an expiration date (they are prefixed with =).

Performance licenses are controlled bysecurity level groups, for example the rsa2k key license controls the number of transactions per second of RSA keys up to 2048 bits.

Licenses available

The licenses currently available are:

The * is replaced by the specific value on the license issued.

Functionalities: enables specialist modules and specific functions.
- module-xml-dsig: enables the XML Sign module.
- module-spb: enables the SPB module.
- module-eft: enables the module EFT.
- module-eft-direct: enables the EFT Direct module.
- module-tsp: enables the TSP (Time Stamping) module.
- pix: enables the Pix.
- module-svault: enables the SVault module.
- module-blockchain: enables the Blockchain module.
- module-safekeeping: enables the Safe Keeping module.
- disclosed-key-gen:
- firmware-update: enables firmware update.
- cloud-telemetry: enables telemetry for the Dinamo cloud.
Quantitative
- db-*-objects: defines the maximum number of objects that can be created in the HSM base (keys, certificates, etc.); includes persistent and temporary objects.
- db-*-partitions: sets the maximum number of partitions that can be created.
- max-*-connections: sets the maximum number of connections in the HSM (simultaneous sessions).
Performance (Transactions per second)
- sym128-*-tps: maximum tps with 128-bit symmetric keys
- sym192-*-tps: maximum tps with 192-bit symmetric keys
- sym256-*-tps: maximum tps with 256-bit symmetric keys
- rsa2k-*-tps: maximum tps with 2048-bit RSA keys
- rsa3k-*-tps: maximum tps with 3072-bit RSA keys
- rsa4k-*-tps: maximum tps with 4096-bit RSA keys
- rsa8k-*-tps: maximum tps with 8192-bit RSA keys
- ecc256-*-tps: maximum tps with 256-bit EC keys
- ecc384-*-tps: maximum tps with 384-bit EC keys
- ecc512-*-tps: maximum tps with 512-bit EC keys
- ml-dsa44-*-tps: maximum tps with ml-dsa44 PQC keys
- ml-dsa65-*-tps: maximum tps with ml-dsa65 PQC keys
- ml-dsa87-*-tps: maximum tps with ml-dsa87 PQC keys
- ml-kem512-*-tps: maximum tps with ml-kem512 PQC keys
- ml-kem768-*-tps: maximum tps with ml-kem768 PQC keys
- ml-kem1024-*-tps: maximum tps with ml-kem1024 PQC keys
- slh-dsa1-*-tps: maximum tps with slh-dsa1 PQC keys
- slh-dsa3-*-tps: maximum tps with slh-dsa3 PQC keys
- slh-dsa5-*-tps: maximum tps with slh-dsa5 PQC keys

In some cases, a special administrative license (full lic) can be used to enable all the equipment's capabilities (it is identified by a specific GUID ).

License Installation

The procedure with the steps for installing the licenses is available in the topic Installing Licenses.