You are here: Configuration Manual (Set up Luna Appliance after Installing) > [Step 2] Initializing an HSM > Recover the SRK

Recover the SRK

This step is required only if your HSM was shipped in Secure Transport Mode.

If not, then click through to Initializing the HSM. You can read this page later if you choose to enable SRK and invoke Secure Transport Mode at some future time.

PED-authenticated Luna HSMs can be shipped from the factory in Secure Transport Mode (your option, at the time you place your order). In this mode, and similar to the state following an HSM tamper event, the Master Tamper Key (MTK) is invalidated.

Here is a brief summary of how MTK and STM (secure transport) are related.

By default, two pieces of data are stored separately on the HSM, that can be brought together by the HSM to recreate the Master Tamper Key, which encrypts all HSM content.

If the HSM has both recovery pieces of the Master Tamper Key onboard, then:

It recovers the MTK automatically following any tamper event, when the HSM is restarted. The HSM can carry on immediately.
You cannot place the HSM in Secure Transport Mode (a form of controlled, intentional tamper).

You have the option to move one of the recovery pieces of the Master Tamper Key off-board, in the form of the Secure Recovery Vector which gets imprinted on a purple Secure Recovery Key or SRK). If you choose to generate the SRK, then:

The HSM retains only one piece of the recovery data and does not recover the MTK automatically following a tamper event, even after restart, until you provide the external piece (the purple key). This gives you control and oversight over tamper events. Your personnel must be aware and must respond before the HSM is allowed to recover from a tamper.
With one of the pieces stored externally, you can set the HSM into Secure Transport Mode, and it can recover from STM only when that purple PED Key is presented - this is what we do at the factory if you request that we ship in STM. Then we ship you the purple key by a separate channel.

Before you can begin configuring and using the HSM, you must recover the SRK.

The SRK external secret is held on the purple SRK PED Key(s), shipped to you separately from the HSM.

With the Luna SA powered and connected to a Luna PED, and also connected to a computer having the Luna Client software installed (using local serial connection, or ssh session over the network), log in as appliance 'admin'. Verify that the HSM is in "Hardware tampered" or "Transport mode" state.

lunash:> hsm srk show

Secure Recovery State flags: ===============================
External split enabled:	yes
SRK resplit[ or "re-split" ] split the MTK secret into a new internal and external recovery vectors, and install the new external portion [the Secure Recovery Vector or SRV] on a new purple PED Key - renders the previous SRV, and any external split of the previous SRV on a purple (SRK) PED Key useless. required:	no
Hardware tampered:	no
Transport mode:	yes

Command Result : No Error
lunash:>

Recover the srk with the command

lunash:> hsm srk transportMode recover

Refer to the Luna PED and follow the prompts to insert the purple PED Key, enter responses on the PED keypad, etc. During the process, a validation string is shown. You should have received your HSM's validation string by separate mail. Compare that to the string that you see during SRK recovery. They should match. If so, acknowledge the match when requested, and the recovery process concludes with the SRK recreated on the HSM.

When the SRK has been recovered on the HSM, the HSM is still in zeroized state, but you can now continue to the next configuration step, initializing the HSM.

Re-split[ see 'resplit' ] the SRK

You have the option to re-split the SRK at any time - you need the current external SRK split (the purple PED Key(s)) to initiate the action. The purpose would be to ensure that the SRK for your HSM is secure and that you have the only copies of the external portion of the secret. That is, by re-splitting at your convenience, you remove the risk that somebody kept a copy of the purple PED Key before they sent your HSM to you. Any copy of the previous secret becomes useless when a re-split operation is performed. Similar logic applies if a copy of your new SRK goes missing (or is thought to have been compromised) - a re-split/regeneration of the secure recovery vector onto a new external key (SRK) or keys renders the lost/stolen/compromised SRK useless to anyone.

Other Uses

The SRK is also used to recover from a real tamper event on the HSM or its appliance.

The steps are the same as above, except that the HSM resumes granting access with its contents intact - [re-] initialization is not required.

You can set the HSM to Secure Transport Mode before placing it into storage, or before shipping to your organization's remote location, or before shipping to your customer (offering them the same Secure Shipping option as is available from SafeNet).

If you have just received an HSM from SafeNet in Secure Transport Mode, and recovered from STM, your next step should be to initialize the HSM. "Initializing a PED-Authenticated HSM".

"re-split required".

View a table that compares and contrasts various "deny access" events or actions that are sometimes confused. "Comparison of destruction/denial actions"