search

ibm-cloud-docs / hs-crypto

hs-crypto
3 stars 22 forks source link

Warn reader about risks of leaving NEW MASTER KEY REGISTER in Full Uncommitted state #52

Closed silliman closed 1 year ago

silliman commented 1 year ago

Between step 5 "Load the new master key register" and step 6 "Commit the new master key register" the NEW MASTER KEY REGISTER is in "Full Uncommitted" state. Evidently with use of the GREP11 Server many EP11 operations fail while the NEW MASTER KEY REGISTER is in this "Full Uncommited" state.

Since this is not documented, there is a risk of an outage if an administrator does step 5, and then, for whatever reason, unwittingly stops at this step and leaves it in this state for an extended period of time because they were not aware of this situation.

I would suggest that if there can't be a code change to avoid this situation, that at least the documentation be changed to add a warning to the reader about the need to quickly perform step 6 right after step 5 (unless of course they have their reasons to pause in between, but they should be aware of the risk).

I am referring to these steps:

https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-initialize-hsm#step5-load-master-key https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-initialize-hsm#step6-commit-master-key

liuxjep commented 1 year ago

@silliman Hi Barry. Thanks for the suggestion. I have added the following note at the beginning of the step 6:

image

Please check it out at: https://test.cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-initialize-hsm#step6-commit-master-key and let me know whether you have further comments. Thanks.

silliman commented 1 year ago

This is good, but, at least for the GREP11 API, leaving the NEW MASTER KEY register in "full uncommited" state also makes the "CURRENT MASTER KEY" unusable for most operations, so this impacts usage of the service even after the service instance is initialized.

liuxjep commented 1 year ago

@silliman so can I say like this: Otherwise, you will not be able to initialize your service instance and perform cryptographic operations with GREP11 API or PKCS #11 API.?

silliman commented 1 year ago

Since this situation can occur long after the service instance is initialized, I would suggest to change 'and' to 'or', that is,

Otherwise, you will not be able to initialize your service instance or perform cryptographic operations with GREP11 API or PKCS #11 API

liuxjep commented 1 year ago

@silliman Updated. Thanks!