IBM Cloud Docs
IBM Cloud Hardware Security Module Roles

IBM Cloud Hardware Security Module Roles

The following sections outline the roles that access the IBM Cloud® Hardware Security Module (HSM) and the cryptographic engine within or connected to the host.

Mandatory roles

The following roles are mandatory if you want to access the IBM Cloud® HSM.

  • HSM Security Officer (SO) is responsible for initialization of the HSM, setting and changing of HSM policies, and creating or deleting application partitions.
  • Partition Security Officer (PO) is responsible for initializing the Crypto Officer role on the partition, resetting passwords, and setting and changing partition-level policies,
  • Crypto Officer (CO) is responsible for initializing the Crypto User role and for creating and modifying cryptographic objects in the HSM partition.

Optional Roles

The following roles are optional if you want to access the IBM Cloud® HSM.

  • Auditor (Au) is responsible for managing HSM audit logging, independent from other roles on the HSM
  • Crypto User (CU) is responsible for using cryptographic objects (encrypt, decrypt, sign, verify, and more) in the HSM partition

Enhanced Cryptoki Model

The separation of roles on the SafeNet Luna Network HSM follows an enhanced Cryptoki model for the following roles:

HSM Security Officer (SO)

The HSM SO has control of the HSM within the SafeNet Luna Network HSM appliance. To access HSM SO functions, you must first log in as appliance admin.

In addition to all the other appliance functions, a user who is authenticated with the HSM SO credential can do the following actions:

  • Create and delete partitions
  • Back up and restore the HSM
  • Change HSM policies

Partition Security Officer (PO)

The Partition Security Officer has control of one or more partitions (virtual HSMs) within the SafeNet Luna Network HSM. To access Partition SO functions, you must log in by using the LunaCM utility on a registered client computer. The Partition SO, when logged in to the partition, can do the following actions:

  • Modify partition policies
  • Back up and restore partition contents
  • Initialize the Crypto Officer role

Crypto Officer (CO)

The Crypto Officer has full read/write access to the partition through the LunaCM utility on a registered client computer. The Crypto Officer partition credential allows a client application to perform any cryptographic operation, including the following operations:

  • Create and delete keys
  • Wrap and unwrap
  • Encrypt and decrypt
  • Sign and verify
  • The Crypto Officer can also initialize the optional Crypto User role.

Crypto User (CU)

The Crypto User is a restricted read-only client user. After initialization, the authenticated Crypto User can access cryptographic materials that exist on the partition, but can't manipulate those objects.

The Crypto User role is optional. If you don't have a security requirement for this role, the CU role can remain uninitialized and all client applications can access the partition by using the Crypto Officer credential.