|
Home > |
|---|
PED-authenticated Luna G5 HSMs might have been shipped from the factory in Secure Transport Mode (an extra-cost shipping and handling treatment). Alternatively, you might have elected to set Secure Transport mode before shipping the HSM to another of your organization's locations, or before shipping to a customer of yours. In this mode, and similar to the state following a system or HSM tamper event, the Master Tamper Key (MTK) is invalidated. Almost all objects on the HSM are encrypted by the MTK, so when that is not available inside the HSM, the HSM is not usable.
Before you can begin configuring or using the HSM, you must recover the MTK by providing the external split of the Secure Recovery Vector (SRV) that is carried on the Secure Recovery Key (SRK), together with the internal split, combines to recreate the MTK.
The SRK secret is held on the purple SRK PED Key(s), shipped to you separately from the HSM.
1.With the Luna G5 powered and connected to a Luna PED, and also connected to a computer with the Lung G5 software and driver installed, open a command-prompt window and start the lunacm utility.
2.Verify that the HSM is in "Hardware tamper zeroize" or "User requested zeroize" (transport) mode.
lunacm:> srk show
SRK State Flags ->
SRK Regeneration Required: 0
Hardware (tamper) Zeroize: 0
User Requested Zeroize: 1
Locked: 1
Command Result : No Error
lunacm:>
3.Recover the srk with the command
lunacm:> srk recover
Refer to the Luna PED and follow the prompts to insert the purple PED Key, enter responses on the PED keypad, etc.
4.During the process, a validation string is shown. You should have received your HSM's validation string by separate mail. Compare that to the string that you see during SRK recovery. They should match. If so, acknowledge the match when requested, and the recovery process concludes with the SRK recreated on the HSM.
When the SRV has been retrieved from the SRK, onto the HSM, and combined with the internally-stored split to regenerate the MTK on the HSM, the HSM is still in zeroized state. However, with the MTK restored you can now resume using the HSM, if it was previously operational, or for a new HSM you can continue to the next configuration step, initializing the HSM.