Resetting a CipherTrust Manager
In some scenarios, you might wish to reset a CipherTrust Manager, deleting its data and restoring to a fresh state. There are a few ways to reset, depending on your access permissions to the CipherTrust Manager.
If you have completed full initialization of the appliance and can log in to the CLI or the REST API as the root
Admin
, those interfaces are preferred.If you can access the CipherTrust Manager through SSH or serial console, and login as the
ksadmin
user, you can use the kscfg system configuration utility to perform a system reset or system factory reset.If you have serial access to a physical CipherTrust Manager but cannot login as
ksadmin
, you can perform a zero knowledge factory reset.
Reset Through REST API or CLI
In the REST API, the root admin
can use POST with /v1/system/services/reset
to wipe all the data in CipherTrust Manager. You can optionally include "delay":integer
in the request body to set a delay in seconds. The default delay is 5 seconds.
In the ksctl CLI, the root admin
can run ksctl services reset
to wipe all the data in CipherTrust Manager. You can optionally include the --delay
flag to set a delay in seconds. The default delay is 5 seconds.
System Reset
The kscfg system reset
command can be used to perform a hard reset of the CipherTrust Manager.
Warning
This destructive operation wipes all data on the CipherTrust Manager and should be used with care.
Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:
Create and download a backup of the database.
Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.
Usage
kscfg system reset [flags]
Flags:
-f, --force When this flag is set, any errors encountered during reset are ignored, and the reset procedure
continues to the end. This flag must be used with care as it could place the system in an unuseable state. It
should be used when all else fails.
-h, --help help for reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system reset [-f] [-y]
Response:
This will perform a full reset of the CipherTrust Manager services.
WARNING - This is a destructive operation and will wipe all data in the CipherTrust Manager.
It will delete all backupkeys and the HSM configuration.
Normally, the REST API or the CLI should be used for performing the reset.
THIS METHOD OF PERFORMING THE RESET SHOULD BE USED AS A LAST RESORT.
It is good practice to perform the following steps prior to running this command:
1. Create and download a backup of the database.
2. Download all the backupkeys; any backups downloaded from this device will not be useful without the backupkeys.
Do you want to continue? [y/N] y
This will take some time, please wait
Device reset has started. It will take a few minutes to complete.
System Factory Reset
The kscfg system factory-reset
can be used on k470 and k570 appliance models to revert the system to its factory defaults.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Note
This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".
If you have a k570 appliance with embedded PCIe HSM, this command does not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. You reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment.
Usage
kscfg system factory-reset [flags]
Flags:
-h, --help help for factory-reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system factory-reset [-y]
Response:
WARNING: This operation will revert the system to its factory defaults !!!
(1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs.
(2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key.
(3) If embedded HSM is available, it will not be reset as part of this operation.
Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust.
(4) If remote PED was used, it must be re-connected after completion.
(5) This operation may take up to 15 minutes. Make sure you have power backup in place.
(6) Access to the system will be unavailable. DO NOT restart the system during this time.
(7) This operation includes multiple system reboot.
(8) This operation CANNOT be undone.
Do you want to continue?
[y/N]
Adding Connector Licenses After System Reset
System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.
Zero Knowledge Factory Reset
This way of resetting an appliance requires no authentication. Zero knowledge factory reset is available for physical appliances only. To protect from misuse, this feature requires serial access to the appliance, and contact with Thales customer support.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Open a serial connection to the appliance.
At the
ciphertrust login:
prompt enterfactoryreset
You are presented with the following options:
Options: 1. Initiate factory reset by generating a challenge from this system 2. Input response and perform factory reset
Enter
1
to generate a challenge request.Your choice: 1 Copy the following request to CipherTrust Manager support: <challenge_request_string>
Copy the challenge string and send it to Thales customer support.
Press
ENTER
in the serial session to return to the previous options.Once you have received a response text from customer support, enter
2
to input the response.Your choice: 2 Paste response text from support (end with an empty line): <support_response_string>
The following warning is displayed:
WARNING: This operation will revert the system to its factory defaults !!! (1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs. (2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key. (3) If embedded HSM is available, it will not be reset as part of this operation. Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust. (4) If remote PED was used, it must be re-connected after completion. (5) This operation may take up to 15 minutes. Make sure you have power backup in place. (6) Access to the system will be unavailable. DO NOT restart the system during this time. (7) This operation includes multiple system reboot. (8) This operation CANNOT be undone.
Type
proceed
to continue with the reset.