Home >

LunaSH Command Reference Guide > LunaSH Commands > hsm > hsm factoryreset

hsm factoryreset

Set the HSM back to its factory default settings, deleting the HSM SO, all users, and all objects. This command can be run via a local serial connection only; it is not accepted via SSH.

WARNING!  This command deletes all objects and users on the HSM, leaving it in a zeroized state.

This command does not require HSM login. The assumption is that your organization's physical security protocols prevent unauthorized physical access to the HSM. If those protocols failed, an unauthorized person would have no access to the HSM contents, and would be limited to temporary denial of service by destruction of HSM contents.

Because this is a destructive command, you asked to “proceed” unless the -force switch is provided at the command line. See Comparison of Destruction/Denial Actions in the Administration Guide to view a table that compares and contrasts various "deny access" events or actions that are sometimes confused.

How the firmware version affects behavior

The behavior of this command differs depending on the HSM firmware, as follows:

On firmware earlier than version 6.22.0, this command

does not erase the RPV (Remote PED Vector or orange PED Key authentication data), and

does not erase the Auditor role, from the HSM, and

does not reset HSM policies.

On firmware 6.22.0, or higher, this command

does erase the RPV (Remote PED Vector or orange PED Key authentication data), and

does erase the Auditor role, from the HSM, and

does reset HSM policies.

The RPV data is required for Remote PED operations to function, including remote HSM initialization, if needed, so RPV must be reinstated after hsm factoryreset if you want to do any remote administration of the HSM.

Note:  If the operation erased the RPV as described above, and you previously established a remote PED connection (using hsm ped connect), you must tear down the remote PED connection (using hsm ped disconnect) before you reinitialize the RPV and establish a new remote PED connection. The hsm factoryReset command operates on the internal HSM only, and not on software processes responsible for the remote PED connection.

Related commands

This command affects only the HSM, and not the settings for other components of the appliance. The command sysconf config factoryreset affects appliance settings external to the HSM. To bring your entire SafeNet Network HSM as close as possible to original configuration, as shipped from the factory, run both commands.  

If you wish to zeroize (remove all partitions, roles (except Auditor), and contents) while preserving HSM policies and the RPV - that is, zeroize before shipping the HSM off to be remotely configured - use the command hsm zeroize instead.

Syntax

hsm factoryreset [-force]

Parameter

Shortcut

Description

-force -f

Force the action without prompting.

Example

Non-local (network connection) attempt:

lunash:>hsm factoryReset
Error:  'hsm 
 factoryReset' can only be run from the local console. 
 Login as 'admin' using the serial port on the 
 SafeNet Network HSM before running this command.
Command Result : 0 (Success)
lunash:>
 

Local attempt:

lunash:>hsm factoryReset
CAUTION: Are you sure you wish to reset this HSM to factory
 default settings? All partitions and data will be erased.
 Partition policies will be reverted to factory settings.
 HSM level policies will be reverted to factory settings.
 If you want to erase partitions and data only, use zeroize.
 Remote PED vector will be erased.
 Type 'proceed' to return the HSM to factory default, or
 'quit' to quit now.
 > proceed
'hsm factoryReset' successful.
Please wait while the HSM is reset to complete the process.
The remote PED vector (RPV) has been erased on HSM.
Command Result : 0 (success)