Partition Authorization
Allows you to change the status of partitions configured for M of N authentication.
The status of the partitions can be changed to associate them with a set of cards and also to authorize an already associated partition.
Cryptographic keys can be created while the partition is in an unauthorized state and can be used effectively when authorization is granted.
After entering the id of the partition (this is the same as the user id), a screen will appear informing you of the current state of the partition, the permissions currently configured and options that allow you to change the state.
The actions possible with the partition keys are defined according to the permissions enabled and the status. For example, the Key Export permission may be enabled, but an (exportable) partition key can only be exported when it is in the Associated, Authorized state. The following table shows the possible actions depending on the status and permissions.
To change state, you need to present the set of cards from set M of N and enter the partition's password credential.
Info
If the HSM is part of a Replication Domain, the state change in the partition will be replicated to the other nodes.
The service must be running during the change of state.
The possible permissions for the partition are:
- Key Read: implicit, cannot be changed;
- Key Export: allows keys to be exported, provided they have the exportable attribute;
- Key Destroy: allows keys to be destroyed;
- Key Block: allows keys to be blocked, preventing them from being used, even when authorized;
- Partition Remove: allows the complete removal of the partition and destruction of all the keys on it, and includes the Key Destroy permission;
The actions allowed and authorized for the keys are executed via API or remote console.
The figure below illustrates the state transitions.
---
title: Transições de estado na autorização de partições
---
%%{ init: { 'flowchart': { 'curve': 'basis' } } }%%
stateDiagram-v2
state "Not Associated, Not Authorized<br><center><small><small>-Geração de chaves" as na_na
state "Associated, Not Authorized<br><center><small><small>-Geração de chaves<br>-Bloqueio de chaves<br>-Destruição de chaves<br>-Remoção da Partição" as a_na
state "Associated, Authorized<br><center><small><small>-Operações com as chaves<br>-Exportação das chaves" as a_a
na_na --> a_na: <center><small>card<br>set<br>
a_na --> a_a: <center><small>card<br>set
a_a --> a_na: <center><small>card<br>set
a_na --> na_na: <center><small>card<br>set
a_a --> a_a: <small><center><small>card<br>set<br><br>(Para mudança<br>nas permissões)
The table below shows the possible actions and the necessary conditions (status and permissions) for them to be carried out successfully.
Warning
The state of the partition is maintained between reboots of the HSM.
| Action | Partition status | Necessary permission enabled |
|---|---|---|
| Key generation | Not Associated, Not Authorized or Associated, Not Authorized | - |
| Locking keys | Associated, Not Authorized | Key Block |
| Key destruction | Associated, Not Authorized | Key Destroy |
| Complete partition removal | Associated, Not Authorized | Partition Remove (destroy all keys) |
| Key export | Associated, Authorized | Key Export |
| Use of keys (cryptography) | Associated, Authorized | - |
