Enabling and Disabling CPv4 Cipher Suites
Cipher suites for Cloning Protocol version 4 (CPv4) are used for cloning to-and-from partitions, if the individual suites are enabled for a partition, and the use of CPv4 is not prevented by CPv1 being active (see Allow CPv1).
NOTE Use of CPv4 requires that the HSM time be set before any cloning operation is attempted that invokes the protocol.
It is recommended to have the host synchronized to a secure ntp or nts server, before synchronizing the HSM time to host time.
Use hsm time commands.
By default, eight CPv4 cipher suites are available and active, and the system negotiates the best/most secure suite for the current cloning operation, based on which suites are available to both the source and target partitions. If you have reason to do so, you can disable some cipher suites, which reduces negotiation time among those that remain enabled. You can also enable desired cloning cipher suites that have been disabled.
To show the current status of enabled and disabled cipher suites
1.Run the partition ciphershow command.
lunacm:> partition ciphershow
NOTE: Allow CPv1 policy 42 is turned off.
Cipher ID Cipher Suite Enabled
__________________________________________________________________________________
0 CPv3 RSA-4096-PKCS-SHA2-384 AES-256-GCM Yes
1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM Yes
2 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
3 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 Yes
AES-256-GCM
4 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM Yes
6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
7 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 Yes
AES-256-GCM
8 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
9 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-GCM
10 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
11 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512 AES-256-GCM
12 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512
AES-256-CTR-HMAC-SHA2-512
13 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-GCM
14 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
15 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512 AES-256-GCM
16 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512
AES-256-CTR-HMAC-SHA3-512
Command Result : No Error
The output shown for your partition might vary from the example above. If the output from the command shows only 8 ciphers, you have an older firmware version - update your HSM firmware and client for support of the additional ciphers.
To disable a cipher suite
Run the partition cipherdisable command with the ID of the cloning cipher suite you want to disable.
lunacm:> partition cipherdisable -id 1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM is now disabled Command Result : No Error
2.Run thepartition ciphershow command to verify the result.
lunacm:> partition ciphershow
NOTE: Allow CPv1 policy 42 is turned off.
Cipher ID Cipher Suite Enabled
__________________________________________________________________________________
0 CPv3 RSA-4096-PKCS-SHA2-384 AES-256-GCM Yes
1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM No
2 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
3 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 Yes
AES-256-GCM
4 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM Yes
6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
7 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 Yes
AES-256-GCM
8 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
9 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-GCM
10 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
11 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512 AES-256-GCM
12 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512
AES-256-CTR-HMAC-SHA2-512
13 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-GCM
14 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
15 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512 AES-256-GCM
16 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512
AES-256-CTR-HMAC-SHA3-512
Command Result : No Error
To enable a cipher suite
1.Run thepartition cipherenable command with the ID of the cloning cipher suite you want to disable.
lunacm:> partition cipherenable -id 1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM is now enabled Command Result : No Error
2.Run the partition ciphershow command to verify the result.
lunacm:> partition ciphershow
NOTE: Allow CPv1 policy 42 is turned off.
Cipher ID Cipher Suite Enabled
__________________________________________________________________________________
0 CPv3 RSA-4096-PKCS-SHA2-384 AES-256-GCM Yes
1 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 AES-256-GCM Yes
2 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
3 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 Yes
AES-256-GCM
4 CPv4 ECDSA-BP512-SHA2-512 ECDH-BP512-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
5 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 AES-256-GCM Yes
6 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
7 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 Yes
AES-256-GCM
8 CPv4 ECDSA-BP512-SHA3-512 ECDH-BP512-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
9 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-GCM
10 CPv4 ECDSA-P521-SHA2-512 ECDH-P521-ML-KEM1024-SHA2-512 Yes
AES-256-CTR-HMAC-SHA2-512
11 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512 AES-256-GCM
12 CPv4 ECDSA-BP512-SHA2-512 Yes
ECDH-BP512-ML-KEM1024-SHA2-512
AES-256-CTR-HMAC-SHA2-512
13 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-GCM
14 CPv4 ECDSA-P521-SHA3-512 ECDH-P521-ML-KEM1024-SHA3-512 Yes
AES-256-CTR-HMAC-SHA3-512
15 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512 AES-256-GCM
16 CPv4 ECDSA-BP512-SHA3-512 Yes
ECDH-BP512-ML-KEM1024-SHA3-512
AES-256-CTR-HMAC-SHA3-512
Command Result : No Error
