Resetting a CipherTrust Manager
In some scenarios, you might wish to reset a CipherTrust Manager, deleting its data and restoring to a fresh state. There are a few ways to reset, depending on your access permissions to the CipherTrust Manager.
If you have completed full initialization of the appliance and can log in to the CLI or the REST API as the root
Admin
, those interfaces are preferred.If you can access the CipherTrust Manager through SSH or serial console, and login as the
ksadmin
user, you can use the kscfg system configuration utility to perform a system reset or system factory reset.If you have serial access to a physical CipherTrust Manager but cannot login as
ksadmin
, you can perform a zero knowledge factory reset.
We recommend REST API/CLI reset or kscfg system reset when the keysecure service cannot start application services due to corrupted data, or when the keysecure service cannot bootstrap the application.
We recommend kscfg system factory reset or Zero knowledge factory reset when CipherTrust Manager's host operating system or kernel is in a bad state.
Effects of Reset Methods
All reset methods reset CipherTrust Manager application configurations which are performed through the GUI, CLI, or REST API related to routine administration and key management. In general, the REST API/CLI reset and kscfg system reset
methods preserve configurations at the operating system level. In general, kscfg system factory reset
and zero knowledge factory reset delete these OS-level configurations.
The following table summarizes differences between the four methods:
Method | Operating System | Network | Software Version | Required Permissions |
---|---|---|---|---|
REST API/CLI reset | Preserves OS level configurations such as SSH keys and disk encryption. | Preserves network configuration. | Preserves CipherTrust Manager software version. | An Application Administrator in the admins group, such as the default admin account. |
kscfg system reset | Preserves OS level configurations such as SSH keys and disk encryption. | Preserves network configuration. | Preserves CipherTrust Manager software version. | The ksadmin user through SSH access. |
kscfg system factory reset | Deletes OS level configurations such as SSH keys and disk encryption. | Deletes network configuration. | Downgrades CipherTrust Manager to the software version installed at the factory. | The ksadmin user through SSH access. |
Zero knowledge factory reset | Deletes OS level configurations such as SSH keys and disk encryption. | Deletes network configuration. | Downgrades CipherTrust Manager to the software version installed at the factory. | Requires serial console access. Thales customer support verifies identity to ensure only authorized persons can perform a zero knowledge factory reset. |
All of these methods delete HSM root of trust connection parameters, but do not reset the HSM or delete the root of trust keys.
This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. On a k570 device with an embedded PCIe HSM, you reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment. For external HSMs used as the root of trust, consult their product documentation to delete the root of trust keys and perform any applicable reset operations.
Reset Through REST API or CLI
Consult Effects of Reset Methods for details on what data is cleared for the different reset methods.
Warning
This destructive operation wipes all data on the CipherTrust Manager and should be used with care.
In the REST API, the root admin
can use POST with /v1/system/services/reset
to wipe application data in CipherTrust Manager. You can optionally include "delay":integer
in the request body to set a delay in seconds. The default delay is 5 seconds.
In the ksctl CLI, the root admin
can run ksctl services reset
. You can optionally include the --delay
flag to set a delay in seconds. The default delay is 5 seconds.
System Reset
Consult Effects of Reset Methods for details on what data is cleared for the different reset methods.
The kscfg system reset
command can be used to perform a hard reset of the CipherTrust Manager.
Warning
This destructive operation wipes all data on the CipherTrust Manager and should be used with care.
Note
This command requires the host-daemon system service to be up and running.
Normally, the REST API or the CLI should be used for performing the reset. This method of performing the reset should be used as a last resort. This operation deletes all backup keys and the HSM configuration. It is good practice to do the following before running this command:
Create and download a backup of the database.
Download all the backup keys. Any backups downloaded from this device will not be useful without the backup keys.
ksfcg reset commands do not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. On a k570 device with an embedded PCIe HSM, you reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment. For external HSMs used as the root of trust, consult their product documentation to delete the root of trust keys and perform any applicable reset operations.
Usage
kscfg system reset [flags]
Flags:
-f, --force When this flag is set, any errors encountered during reset are ignored, and the reset procedure
continues to the end. This flag must be used with care as it could place the system in an unuseable state. It
should be used when all else fails.
-h, --help help for reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system reset [-f] [-y]
Response:
This will perform a full reset of the CipherTrust Manager services.
WARNING - This is a destructive operation and will wipe all data in the CipherTrust Manager.
It will delete all backupkeys and the HSM configuration.
Normally, the REST API or the CLI should be used for performing the reset.
THIS METHOD OF PERFORMING THE RESET SHOULD BE USED AS A LAST RESORT.
It is good practice to perform the following steps prior to running this command:
1. Create and download a backup of the database.
2. Download all the backupkeys; any backups downloaded from this device will not be useful without the backupkeys.
Do you want to continue? [y/N] y
This will take some time, please wait
Device reset has started. It will take a few minutes to complete.
System Factory Reset
Consult Effects of Reset Methods for details on what data is cleared for the different reset methods.
The kscfg system factory-reset
can be used on k470 and k570 appliance models to revert the system to its factory defaults.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several system upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Note
This command expects the host-daemon system service to be up and running. However, if the host-daemon is not running or not in a good state, the factory-reset can be invoked from command line as ksadmin user by executing "sudo /opt/keysecure/ks_reset_to_factory.sh".
ksfcg reset commands do not reset the HSM and the root of trust keys. This allows you to restore a previous CipherTrust Manager backup taken on the appliance. However, if you performed the factory reset to return the appliance to a fresh security state, and you don't intend to restore a backup, we strongly recommend resetting and re-initializing the HSM to create new root of trust keys. On a k570 device with an embedded PCIe HSM, you reset the HSM using the lunaCM command “hsm factoryReset” and then re-initialize following the same HSM configuration process as used during first deployment. For external HSMs used as the root of trust, consult their product documentation to delete the root of trust keys and perform any applicable reset operations.
Usage
kscfg system factory-reset [flags]
Flags:
-h, --help help for factory-reset
-y, --yes When this flag is set, all user prompts during the reset process are skipped. A default value
of 'yes' is used as the automatic response to all prompts.
Examples
kscfg system factory-reset [-y]
Response:
WARNING: This operation will revert the system to its factory defaults !!!
(1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs.
(2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key.
(3) If embedded HSM is available, it will not be reset as part of this operation.
Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust.
(4) If remote PED was used, it must be re-connected after completion.
(5) This operation may take up to 15 minutes. Make sure you have power backup in place.
(6) Access to the system will be unavailable. DO NOT restart the system during this time.
(7) This operation includes multiple system reboot.
(8) This operation CANNOT be undone.
Do you want to continue?
[y/N]
Adding Connector Licenses After System Reset
System reset changes the Connector Lock Code for the CipherTrust Manager. After system reset, any license files based on that earlier Connector Lock Code cannot be added. You can restore the earlier Connector Lock Code from a backup, or by adding the reset CipherTrust Manager node into a cluster with the earlier Connector Lock Code. Then, these license files can be added. As well, backup restore and cluster replication include previously installed licenses.
Zero Knowledge Factory Reset
Consult Effects of Reset Methods for details on what data is cleared for the different reset methods.
This way of resetting an appliance requires no authentication. Zero knowledge factory reset is available for physical appliances only. To protect from misuse, this feature requires serial access to the appliance, and contact with Thales customer support.
Warning
This destructive operation wipes all data on the CipherTrust Manager, including keys, backups, backup keys, system configuration, and logs. It automatically reboots the appliance twice, before booting to the factory firmware version. The appliance's factory version may be below the currently running version. Several system upgrades may be required to return to the currently running version. Do not manually power-off or reset the appliance while the factory-reset is in progress. This command must be used with care.
Open a serial connection to the appliance.
At the
ciphertrust login:
prompt enterfactoryreset
You are presented with the following options:
Options: 1. Initiate factory reset by generating a challenge from this system 2. Input response and perform factory reset
Enter
1
to generate a challenge request.Your choice: 1 Copy the following request to CipherTrust Manager support: <challenge_request_string>
Copy the challenge string and send it to Thales customer support.
Press
ENTER
in the serial session to return to the previous options.Once you have received a response text from customer support, enter
2
to input the response.Your choice: 2 Paste response text from support (end with an empty line): <support_response_string>
The following warning is displayed:
WARNING: This operation will revert the system to its factory defaults !!! (1) This is a destructive operation that erases all CipherTrust Manager data including but not limited to keys, backups, backup keys, and system logs. (2) Ensure that you have a valid CipherTrust Manager backup of all the data and backup key. (3) If embedded HSM is available, it will not be reset as part of this operation. Re-initialization of embedded HSM is highly recommended after this operation to configure it as the root of trust. (4) If remote PED was used, it must be re-connected after completion. (5) This operation may take up to 15 minutes. Make sure you have power backup in place. (6) Access to the system will be unavailable. DO NOT restart the system during this time. (7) This operation includes multiple system reboot. (8) This operation CANNOT be undone.
Type
proceed
to continue with the reset.