HSM Tamper Behavior
Tampering with the Appliance
Hardware tamper events are detectable events that imply intrusion into the appliance interior.
One such event is removal of the lid (top cover). The lid is secured by anti-tamper screws, so any event that lifts that lid is likely to be a serious intrusion.
Decommission
The red "Decommission" button recessed behind the back panel is not a tamper switch. Its purpose is different. See HSM Emergency Decommission Button for a description.
What Happens When You Tamper
First, the HSM disconnects and disallows any communication.
Second, the system turns on the "HSM Offline" alarm to alert system admins. This will happen within 30 seconds.
Third, if the system is unable to communicate with the HSM consecutively for 5 minutes, it restarts itself to ensure that all sensitive cached information is erased from the running system. If the system is still unable to communicate with the HSM after a restart, services are prevented from starting up and the status API reflects this problem. In addition, the GUI displays an error indicating a problem communicating with the HSM.
A tampered system does not recover by itself and requires the system admin to intervene. Recovering requires console access (for example SSH). If you are configured for PED authentication, you will also need access to the HSM PED and the corresponding HSM tokens (iKeys).
To clear a tamper flag on a Thales k570 local HSM
Make sure an HSM admin slot is selected.
Run the
/usr/safenet/lunaclient/bin/lunacm
tool in the console as the system admin (ksadmin).Check the available slots.
lunacm:> slot list
Look for a slot with description "Admin Token Slot".
Select the active slot.
lunacm:> slot set -slot <number>
Verify that the system is unable to communicate with the HSM using this command:
lunacm:> hsm tampershow
Response:
Driver command failed: Input/output error Failed to display tampers error=5. Command Result : No Error
An HSM restart is required before any operations can be performed against the HSM using this command:
lunacm:> hsm restart
Note
If the PED is connected to the system, it is required at this time to reconnect it by physically unplugging and reconnecting the USB cable; otherwise it will not be able to communicate with the HSM.
Make sure an HSM admin slot is selected. Refer to step 1 for details.
After the HSM has restarted, view the tamper event using this command:
lunacm:> hsm tampershow
You can now clear the tamper flag using these commands:
lunacm:> role login -name so lunacm:> hsm tamperclear
At this point the HSM should be operational again.
Note
During tampering all cached HSM tokens are cleared. Therefore, any CipherTrust Manager attempt to log in to the HSM will trigger PED authenticate. Re-authentication using the black PED key is required to get the appliance running again.
To clear a tamper flag on a TCT k570 local HSM
Power on the unit. If the unit was still running when the tamper occurred, power cycle the unit. Connect to the unit over serial cable and run the following as the
ksadmin
:cd /usr/safenet/lunaclient/bin ./lunacm
The HSM indicates it has been tampered.
If you are configured for Password Authentication, to clear the tamper flag, log in as the HSM/Security Officer:
:::text lunacm:> hsm login
If you are configured for PED Authentication, to clear the tamper flag, use the following commands:
lunacm:> hsm login
You are prompted for the HSM/Security Officer (blue) iKey
lunacm:> partition login
You will be prompted for the User (black) iKey.