Home > |
---|
In the context of HSMs in general, the term to "zeroize" means to erase all plaintext keys. Some HSMs keep all keys in plaintext within the HSM boundary. SafeNet HSMs do not.
In the context of SafeNet HSMs, keys at rest [ keys or objects that are stored in the HSM ] are encrypted. Keys are decrypted into a volatile working memory space inside the HSM only while they are being used. Items in volatile memory disappear when power is removed. The action that we loosely call "zeroizing", or clearing, erases volatile memory as well as destroying the key that encrypts stored objects.
Therefore,
•if you perform hsm factoryReset, or
•if you make too many bad login attempts on the SO account, or
•if you set a "destructive" HSM policy, or
•if you perform HSM firmware rollback,
not only are any temporarily decrypted keys destroyed, but all customer keys on the HSM are immediately rendered inaccessible and unrecoverable.
The KEK [ key encryption key that encrypts all user objects, partition structure, cloning vectors, masking vectors, etc. ] is destroyed by a zeroization (erasure) or decommission event. At that point, any objects or identities in the HSM become effectively random blobs of bits that can never be decoded.
Note: The next HSM power-up, following a KEK zeroization (for whatever reason), automatically erases the contents of user storage, which were already an indecipherable blob without the original KEK. That is, any zeroizing event instantly makes encrypted objects unusable, and as soon as power is re-applied, the HSM immediately erases even the encrypted remains before it allows further use of the HSM.
The HSM must now be re-initialized in order to use it again, and initialization overwrites the HSM with new user parameters. Everything is further encrypted with a new KEK [ unique to that HSM ].
Keys NOT encrypted by the KEK are those that require exemption and are not involved in user identities or user objects:
• the Master Tamper Key, which enables tamper handling as well as Secure Transport Mode,
• the Remote PED Vector, to allow Remote PED-mediated recovery from tamper or from Secure Transport Mode,
• the hardware origin key that certifies the HSM hardware as having been built by Gemalto-SafeNet, and
• a couple of legacy keys that allow objects to be migrated from legacy HSMs.