You are here: Administration & Maintenance Manual > Appliance Administration > Decommission or Declassify > End of service and disposal

End of service and disposal

SafeNet Luna HSMs and appliances are deployed into a wide variety of markets and environments. Arranging for the eventual disposal of a Luna HSM or HSM appliance that is no longer needed can be a simple accounting task and a call to your local computer recycling service, or it can be a complex and rigorous set of procedures intended to protect very sensitive information.

Some users of Luna HSMs employ cryptographic keys and material that have a very short "shelf life". A relatively short time after the HSM is taken out of service, any objects that it contains are no longer relevant. The HSM could be disposed of, with no concern about any material that might remain in it.

The majority of our customers are concerned with their keys and objects that are stored on the HSM. It is important to them that those items never be exposed. The design philosophy of our Luna HSMs ensures that contents are safe from attackers [ Unlike other HSM products on the market, Luna HSMs never store sensitive objects like cryptographic keys unencrypted. Therefore, we have no real need - other than perception or "optics" - to perform active erasure of HSM contents, in case of an attack or tamper event.

Instead, the basic state of a Luna HSM is that any stored keys and objects are strongly encrypted - they are decrypted only for current use, into volatile memory within the HSM. If power is removed from the HSM, the temporarily-decrypted objects instantly evaporate. The encrypted originals remain, but they are unusable by anyone who does not have the correct HSM keys ( called the Key Encryption Key [KEK] and the Master Tamper Key [MTK] ) to decrypt them. In the case of a Decommission event (small red button on back of Luna SA) or a tamper event (intrusion), one or the other of those global encrypting keys is destroyed. This instantly renders any objects in the HSM unusable by anyone. In the case of a Decommission event, when the HSM is next powered on, it requires initialization, which wipes even the encrypted remains of your former keys and objects. ]. However, some organizations build their protocols around assumptions that apply to other suppliers' HSMs - where keys are stored unencrypted and must be actively erased in the event of an attack or removal from service.

A percentage of our customers are very high-security establishments (like some government entities) that have very rigorous protocols for removing a device from service. In such circumstances, it is not sufficient to merely ensure that all material is gone from the HSM. It is also necessary to clear any possible evidence from the appliance that contains the HSM, such as IP configuration and addresses, log files, etc.

If you have any concern that simply pressing the Decommission button and running sysconf config factoryreset is not sufficient destruction of potentially-sensitive information, then please refer to Declassify the HSM Appliance.