You are here: Administration & Maintenance Manual > HSM Administration > HSM "Decommission" Button

HSM "Emergency Decommission" Button

The Luna appliance includes a way to decommission the HSM, or permanently deny access to all objects on it, without need for either a serial console or a remote (SSH) connection.

To directly decommission the HSM inside the Luna appliance, press and release the small red button, recessed behind the grille on the back panel.

The appliance does NOT need to be powered on.
The appliance does NOT need to have power cables connected.

You will need a small screw-driver or other tool to reach the Emergency Decommission button. This is intentional, to preclude accidental pressing of that button.

What It Does

When the button is pressed, the HSM is immediately decommissioned as the KEK is deleted from NVRAM. Without going into excessive detail about the HSM's internal workings, all security objects and user objects (your keys certificates, etc.) and general storage objects (cloning domain, etc.) are encrypted with their own subset storage keys (USK, GSK...), and those, in turn are encrypted with the Key Encryption Key (KEK - unique to each HSM). When the KEK is destroyed all objects on the HSM become permanently inaccessible and useless. They can still be seen, but they can never again be decoded - they are unrecoverable. Any cached data (such as partition activation data) are destroyed as well, gone, no trace.

After that happens, the HSM must be re-initialized before you (or your clients) can begin using it again. All contents of the HSM are lost.

To resume using your previous keys and certificates, you must restore them from a backup HSM - see Luna Remote Backup HSM.

Event Summary

Here is what you would observe after the button is depressed:

The LCD on the appliance front panel freezes. Communication to the HSM key card is blocked, as is the software process that polls the HSM for status.
At this point, you must power cycle the Luna appliance by depressing the momentary-contact START/STOP switch on the back panel of the system.
After restarting, writes a tamper log message to hsm.log.
The luna shell command hsm show displays the text "Manually Zeroized: Yes", to signify that the system executed the decommission process.
The HSM key card must be reinitialized (hsm init) before you can begin using it again.

Comparison Summary

View a table that compares and contrasts the "Emergency Decommission" event with other deny access events or actions that are sometimes confused. "Destroy" action/event scenarios (Right-click the link if you prefer that it not open in a new window.)

When to Use It

The primary purpose of the decommission button is for a situation where the appliance is not responding, you wish to send it back to SafeNet, but you need a way to permanently prevent access to material contained within the HSM.

You might find other uses, in your organization.

What to do after decommission if the Luna SA is being returned to SafeNet

Obtain a Return Material Authorization and shipping instructions from SafeNet, if you have not already done so.
Pack the appliance and ship it to SafeNet.