Converting pre-7.7.0 partitions to V0, or V0 partitions to V1

CAUTION!   Be sure to back up any important keys and objects.

Guidelines and Tips  when partitions are part of an HA group  

Refer to General guidelines for updating or converting of HA member partitions

To convert from pre-7.7.0 to V0

If you have application partitions on your pre-firmware 7.7.0 HSM that you wish to convert to V0, do the following:

1.Update at least one client computer to Luna HSM Client version 10.3.0 or newer. The newer client can readily handle functioning with both current and older HSM firmware and Network HSM appliance software. To update an existing client installation, simply uninstall it, and then install the newer version -the configuration and certificate files are preserved.

2.Update the HSM firmware. Either update to the ready version that accompanied the HSM software, or acquire, from the Support Portal, and install the latest 7.7.0-or-newer firmware that has been FIPS-validated (whichever is desired) - Updating the Luna PCIe HSM Firmware.

3.As part of the firmware update process from pre-7.7.0 firmware to 7.7.0 (or newer), any existing partitions are converted to V0, which adds key attributes where appropriate, and increases the HSM memory and the partition size to accommodate the new overhead requirements.

To convert from V0 to V1

1.Have the chosen partition visible in lunacm.

2.Select that partition with the lunacm command slot set -slot <slot number>

3.[Optional] Show the current partition policy values and verify that policy 41 is set to version 0, partition showpolicies  

4.Log into the partition as the Partition Security Officer with role login -name po  

5.Change the value of policy 41 to version 1, with partition changepolicy -policy 41 -value 1   

To convert from V1 to V0

1.Backup any valuable keys or objects.

CAUTION!   This operation, going from V1 back to V0, is destructive. All objects on the partition are destroyed, as well as the SMK(s). If any valuable objects were created and archived from a version one (V1) partition, then they must have been SKS-stored off the HSM, and the SMK that encrypted those objects must be preserved on a Backup HSM or in another partition (that remains at V1), if those objects might ever be needed in future.

If no valuable SKS blobs have been encrypted by the partition's current SMK, then there is no need for backup.

2.Have the chosen partition visible in lunacm.

3.Select that partition with the lunacm command slot set -slot <slot number>

4.[Optional] Show the current partition policy values and verify that policy 41 is set to version 1, partition showpolicies  

5.Log into the partition as the Partition Security Officer with role login -name po  

6.Change the value of policy 41 to version 0, with partition changepolicy -policy 41 -value 0