Home >

Recover the SRK

Note:  This step is required only if your HSM was shipped in Secure Transport Mode.  If not, then proceed to Initializing the HSM. You can read this page later if you choose to enable SRK and/or to invoke Secure Transport Mode at some future time.

PED-authenticated Luna HSMs can be shipped from the factory in Secure Transport Mode (your option, at the time you place your order). In this mode, and similar to the state following an HSM tamper event, the Master Tamper Key (MTK) is invalidated.

Here is a brief summary of how MTK and STM (secure transport) are related.

By default, two pieces of data are stored separately on the HSM, that can be brought together by the HSM to recreate the Master Tamper Key, which encrypts all HSM content.

If the HSM has both recovery pieces of the Master Tamper Key on-board, then:

1.It recovers the MTK automatically following any tamper event, when the HSM is restarted. The HSM can carry on immediately.  

2.You cannot place the HSM in Secure Transport Mode (a form of controlled, intentional tamper).

You have the option to move one of the recovery pieces of the Master Tamper Key off-board, in the form of the Secure Recovery Vector which gets imprinted on a purple Secure Recovery Key or SRK). If you choose to generate the SRK, then:

3.The HSM retains only one piece of the recovery data and does not recover the MTK automatically following a tamper event, even after restart, until you provide the external piece (the purple key).  This gives you control and oversight over tamper events. Your personnel must be aware and must respond before the HSM is allowed to recover from a tamper.

4.With one of the pieces stored externally, you can set the HSM into Secure Transport Mode, and it can recover from STM only when that purple PED Key is presented - this is what we do at the factory if you request that we ship in STM. Then we ship you the purple key by a separate channel.

Before you can begin configuring and using the HSM, you must recover the SRK.

The SRK external secret is held on the purple SRK PED Key(s), shipped to you separately from the HSM.

With the Luna SA powered and connected to a Luna PED, and also connected to a computer having the Luna Client software installed (using local serial connection, or ssh session over the network), log in as appliance 'admin'. Verify that the HSM is in "Hardware tampered" or "Transport mode" state.

lunash:> hsm srk show 
Secure Recovery State flags:
=============================== 
External split enabled:  yes 
SRK resplit[ or "re-split" ] split the MTK secret into a new internal and external recovery vectors, and install the new external portion [the Secure Recovery Vector or SRV] on a new purple PED Key - renders the previous SRV, and any external split of the previous SRV on a purple (SRK) PED Key useless. required: no 
Hardware tampered:  no 
Transport mode: yes
   
Command Result : No Error 
lunash:>
 

Recover the srk with the command

lunash:> hsm srk transportMode recover

With the Luna HSM powered and connected to a Luna PED, verify that the HSM is in "Hardware tampered" or "Transport mode" state.

lunacm:> srk show 
Secure Recovery State flags:
=============================== 
External split enabled:  yes 
SRK resplit[ or "re-split" ] split the MTK secret into a new internal and external recovery vectors, and install the new external portion [the Secure Recovery Vector or SRV] on a new purple PED Key - renders the previous SRV, and any external split of the previous SRV on a purple (SRK) PED Key useless. required: no 
Hardware tampered:  no 
Transport mode: yes
   
Command Result : No Error 
lunash:>
 

Recover the srk with the command

lunash:> hsm srk transportMode recover

Refer to the Luna PED and follow the prompts to insert the purple PED Key, enter responses on the PED keypad, etc. During the process, a validation string is shown. You should have received your HSM's validation string by separate mail. Compare that to the string that you see during SRK recovery. They should match. If so, acknowledge the match when requested, and the recovery process concludes with the SRK recreated on the HSM.

When the SRK has been used to recover the MTK on the HSM, the HSM is still in zeroized state, but you can now continue to the next configuration step, initializing the HSM.

Urgent SRK Action

As long as the SRK (purple PED Key) remains valid, it is tied to that HSM and there is risk if it is mishandled or lost. If you do not need to have an external split (the SRV) of the MTK recovery key component, you should immediately perform an srk disable operation to bring the external split back into the HSM. Do not overwrite (or lose) the purple PED Key while it contains a valid SRV, unless you have copies.

Some security regimes require that the SRV remains external to the HSM, on an SRK (purple PED Key) to enforce specific, hands-on, oversight and recovery actions, in the case of a tamper event at the HSM. In that case, keep the external split and handle with care (including having on-site and off-site backup copies, just as you would with the Security Officer (blue) PED Key). You are not "done" with a purple PED Key until its contents have been returned to its HSM with srk disable.

Re-split the SRK

You have the option to re-split the SRK at any time - you need the current external SRK split (the purple PED Key(s)) to initiate the action. The purpose would be to ensure that the SRK for your HSM is secure and that you have the only copies of the external portion of the secret. That is, by re-splitting at your convenience, you remove the risk that somebody kept a copy of the purple PED Key before they sent your HSM to you. Any copy of the previous secret becomes useless when a re-split operation is performed. Similar logic applies if a copy of your new SRK goes missing (or is thought to have been compromised) - a re-split/regeneration of the secure recovery vector onto a new external key (SRK) or keys renders the lost/stolen/compromised SRK useless to anyone.

Other Uses of the SRK

The SRK is also used to recover from a real tamper event on the HSM or its appliance.

The steps are the same as above, except that the HSM resumes granting access with its contents intact - [re-] initialization is not required.

You can set the HSM to Secure Transport Mode before placing it into storage, or before shipping to your organization's remote location, or before shipping to your customer (offering them the same Secure Shipping option as is available from SafeNet).

If you have just received an HSM from SafeNet in Secure Transport Mode, and recovered from STM, your next step should be to initialize the HSM. Go to "Initializing a PED-Authenticated HSM".

See also "Re-Split Required".  

To view a table that compares and contrasts various "deny access" events or actions that are sometimes confused, see "Comparison of Destruction/Denial Actions".