HSM initialization

The initialization of the HSM aims to prepare and customize it for operation in the operating environment. The basic aim is to generate the master key or Server Master Key on smart cards with an M of N secret sharing scheme and to establish a logical and unique relationship between this key and the HSM; this is what will enable the HSM to be activated and users to access the objects kept encrypted in their partitions.

The HSM leaves the factory in a state where it can be initialized and activated by any valid set of cards. The initialization process must ensure that the smart cards are saved with a Server Master Key known only to the administrator(s) and also that the HSM can only be activated from then on with these smart cards.

The Server Master Key is generated directly from the output of the HSM's Authorized DRBG (Deterministic Random Bit Generator).

The adoption of an M from N scheme allows the separation of responsibility during the activation process, in a powerful yet flexible way. In a secret-sharing scheme, the reconstruction of the Server Master Key requires a set of smart cards (rather than being recorded on a single card). The scheme is defined by first choosing the total number N of cards that will be generated and distributed, and then choosing the number of M cards within the total set that will need to be presented during the authentication phase of the HSM activation. The minimum set is 02 (two) smart cards. The cards within the generated set are idempotent, i.e. they have the same weight and contribute the same amount to the reconstruction of the Server Master Key, so there is no priority or preferential order during authentication and any of the generated cards can be presented in any order (the order followed in the generation is irrelevant). The HSM will only request the minimum set M sufficient to recover the Server Master Key. In any of the local console administration options where authentication is required, the set will need to be presented. The specific values of M and N are given when the Server Master Key is generated. HSM works with groups of N up to 250, and for example you can define schemes such as 2 out of 4, 3 out of 8, 2 out of 11, 5 out of 15, among others. More sophisticated schemes can be adopted, such as generating four cards in a 3 out of 4 scheme, giving two cards to one person and one card each to two other people. Thus, to activate and operate the HSM, the person with two cards and one of the two people who received one card each will need to be present. The two people, even together, who received one card each cannot retrieve the Server Master Key to operate the HSM, nor can the person alone with two cards.

---
title: Geração da Server Master Key
---

flowchart TD
    drbg[\Deterministic<br>Random Bit<br>Generator/]
    op((Operador))
    svmk([Server Master Key])
    split[esquema<br>M de N]
    card1(smart card 1)
    card2(smart card 2)
    cardn(smart card N)

    op --> drbg
    drbg --> svmk
    svmk --> split
    split -.-> card1
    split -.-> card2
    split -.-> cardn

After the first activation with the smart cards, a relationship is established between the HSM and the Server Master Key, and from then on only these Smart Cards (or a set of copies of them, created with the same seed) can be used for activation and management in the HSM. This relationship is persistently registered in the HSM and can only be removed by re-initializing the HSM database.

Attention

If the entire set or an M or larger subset of the smart cards is lost and there is no copy of the set, all objects created under the Server Master Key contained in the set cannot be recovered and will be irretrievably lost. The smart card has a limit of 06 (six) PIN attempts. On the seventh attempt, if the PIN is incorrect, the card will be DEFINITELY locked and can no longer be used. When the correct PIN is entered, the wrong attempt counter is reset to zero.

The initialization process is all done via the local console, using the smart cards. See the Local Console item for settings for the HSM's local console.

In a nutshell, the steps required for initialization are as follows:

  1. Define the parameters of the M of N scheme (choose how many cards will be used);
  2. Generate the Server Master Key;
  3. Make the first activation of the HSM.

Attention

The HSM is delivered with 02 (two) smart cards. If you decide to use an M of N scheme with more than two cards, please contact your supplier to purchase more smart cards.

If the Server Master Key generation process is interrupted, the HSM will display a message stating that the material for generation is invalid or incomplete, in which case the smart cards will not be able to activate the HSM.