Scribd
Upload
10 views7 pages

03 - HSM Tools

The document provides a hands-on training guide for using SafeNet Network HSM Tools, specifically the Luna 7 system. It includes prerequisites, objectives, and detailed instructions for performing tasks such as file encryption, decryption, and creating self-signed certificates. The training is designed to demonstrate HSM functionality using various tools provided with the Luna Client over a duration of approximately one hour.

Uploaded by

Dan Aparicio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views7 pages

03 - HSM Tools

The document provides a hands-on training guide for using SafeNet Network HSM Tools, specifically the Luna 7 system. It includes prerequisites, objectives, and detailed instructions for performing tasks such as file encryption, decryption, and creating self-signed certificates. The training is designed to demonstrate HSM functionality using various tools provided with the Luna Client over a duration of approximately one hour.

Uploaded by

Dan Aparicio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

SafeNet Network HSM Tools

HANDS ON: LUNA 7

CPL Technical Training


Contents
Overview ............................................................................................................................... 3
Prerequisites ...................................................................................................................................................... 3
Duration .............................................................................................................................................................. 3
Objective ............................................................................................................................................................ 3

CKDemo................................................................................................................ 4
Create a File for Encryption ............................................................................................................................ 4
Run CKDEMO................................................................................................................................................. 4
Create an Encryption Key ............................................................................................................................... 4
Encrypt a File .................................................................................................................................................. 5
Decrypt a File .................................................................................................................................................. 5

Multitoken .............................................................................................................. 6

CMU ...................................................................................................................... 7

CPL Technical Training Documentation 2


Copyright © 2019 Gemalto, All rights reserved. The information contained in this document is intended solely for your personal reference and for learning
purposes. Such information is subject to change without notice, its accuracy is not guaranteed, and it may not contain all material information concerning
Gemalto (the “Company”). The Company makes no representation regarding, and assumes no responsibility or liability for, the accuracy or completeness
of, or any errors or omissions in, any information contained herein. In addition, the information contains projections and forward-looking statements that
may reflect the Company’s current views with respect to future events. These views are based on current assumptions which are subject to various risks
and which may change over time.
Overview

Prerequisites
For this exercise, you will need:
 Installed Luna Client
 Activated Partition
 Activated PO and CO

Duration
This training course is approximately 1 hour.

Objective
In this exercise, you will:
 Use different tools provided with the Luna Client.

By the end of this exercise, you should be able to:


 Demonstrate some of the HSM functionality using the provided system utilities.

CPL Technical Training Documentation 3


Copyright © 2019 Gemalto, All rights reserved.
CKDemo

Create a File for Encryption


1. Open a new command prompt window as an administrator:
a. Click Start, type 'cmd', right-click the cmd icon, and then choose Run as administrator.
2. Navigate to the Luna Client directory:
a. Run 'cd c:\Program Files\SafeNet\LunaClient'
3. Create a new text file, and fill it with any information you desire (could be any random text).
4. Save this file in the Luna Client directory under the name [Link].

Run CKDEMO

NOTE: When using CKDemo, the terminal will always redirect to the end of the
screen buffer and display ‘Status: Doing great, no errors (CKR_OK)’ before
awaiting the next command.
This is the normal behavior. For previously executed command output, please
scroll up to review.

1. In the command prompt, run 'ckdemo' to launch CKDemo.


2. Open a session to the HSM:
a. Press 1 to open a session.
b. In case your client is registered to multiple partitions, select the appropriate one, otherwise it should
default to the only registered partition.
3. Log in to your partition:
a. Press 3 to login.
b. Press 1 to select the Crypto Officer role.
c. Enter the CO's password (should be newPa$$w0rd).

Create an Encryption Key


1. Create an encryption key:
a. Press 45 to generate a simple key,
b. Press 16 to generate an AES encryption key.
c. Specify the key length as 32.
d. Press 1 for all the attribute questions.

CPL Technical Training Documentation 4


Copyright © 2019 Gemalto, All rights reserved.
2. Get the encryption key handle:
a. Press 27 to display the object.
b. Press 0 to display all objects in the partition.
c. Note to the handle number of your previously generated key.
3. You’re forced to select a handle. Press the handle number to display the key.

Encrypt a File
1. Start the encryption process:
a. Press 40 to encrypt your file.
b. Select option 29 that matches our AES key [AES-CBC-PAD].
c. Type the name of your text file, [Link]
d. Enter the key handle number from the previous section (Create an Encryption Key).
2. View your file:
a. Your file was encrypted into a new file named [Link]
b. Open the file in a text editor (i.e, NotePad++) and view it.
Example:

Decrypt a File
1. Start the decryption process:
a. Press 41 to decrypt your file.
b. Select option 29 that matches our AES key [AES-CBC-PAD].
c. Type the name of your text file, [Link]
d. Enter the key handle of your encryption key.
2. View your file:
a. Your file was decrypted into a new file named [Link]
b. Open the file in a text editor, and view it. It is now in its decrypted format.
3. Press 0 to exit CKDemo.

CPL Technical Training Documentation 5


Copyright © 2019 Gemalto, All rights reserved.
Multitoken
Our objective is to run 30 threads on slot #0, use an RSA key with the length of 2048 bytes, and perform key
signing.
1. Run '[Link] -mode rsasigver -key 2048 -ns 0x30 -noverify'
2. Enter Y when prompted if you want to continue.
3. Enter the partition password: newPa$$w0rd

4. Enter Ctrl-C to finish after running for a minute.

CPL Technical Training Documentation 6


Copyright © 2019 Gemalto, All rights reserved.
CMU
Our objective is to create a self-signed certificate on the HSM.
1. Generate new RSA key pair via CMU:
a. Run 'cmu generatekeypair -modulusBits=2048 -publicExp=65537 -
labelPublic=myPublic -labelPrivate=myPrivate -sign=T -verify=T'
b. Enter the partition password: newPa$$w0rd
c. Select option 1 for PKCS.
2. View your created keys and make a note of their handle numbers:
a. Run 'cmu list'.
b. Enter the partition password: newPa$$w0rd
3. Create a certificate:
a. Run 'cmu selfsigncertificate -publichandle=ID -privatehandle=ID -
startDate=2019MMDD -endDate=2023MMDD -serialNum=0133337f'

NOTE: You must edit the command above before executing it – enter your own
unique public/private key handle IDs listed from the previous step, and enter the
date values.

b. Enter the partition’s password: newPa$$w0rd


c. Fill in the required details for the certificate.

NOTE: You can enter your own certificate values for testing purposes.

4. Run 'cmu list' to verify your certificate was created.

CPL Technical Training Documentation 7


Copyright © 2019 Gemalto, All rights reserved.

You might also like