Home >

LunaSH Command Reference Guide > LunaSH Commands > hsm > hsm zeroize

hsm zeroize

Removes all partitions and keys from the HSM.

CAUTION:  This command puts the HSM in a zeroized state.

This command destroys the HSM SO and all users (except Auditor), and their objects.

This command can be run only via a local serial connection; it is not accepted via SSH. Because this is a destructive command, the user is asked to “proceed” unless the -force switch is provided at the command line. See Comparison of Destruction/Denial Actions in the Administration Guide to view a table that compares and contrasts various "deny access" events or actions that are sometimes confused.

This command does not require HSM login. The assumption is that your organization's physical security protocols prevent unauthorized physical access to the HSM. Nevertheless, if those protocols failed, an unauthorized person would have no access to HSM contents, and would be limited to temporary denial of service by destruction of HSM contents.

This command was added with HSM firmware 6.22.0. It does not appear in the command list when the current slot is an older firmware version.

This command does not reset HSM policies, except for policy 39: Allow Secure Trusted Channel. After zeroization, you will need to re-establish your STC links, as described in Restoring STC After HSM Zeroization in the Administration Guide, and in Creating an STC Link Between a Client and a Partition in the Configuration Guide.

This command does not erase the RPV (Remote PED Vector or orange PED Key authentication data) from the HSM.

This command does not delete the Auditor role.

To also reset HSM policies and destroy the RPV and destroy the Auditor, on HSMs with firmware 6.22.0 or newer, see hsm factoryreset.  

Syntax

hsm zeroize [-force]

Parameter

Shortcut

Description

-force -f

Force the action without prompting.

Example

Non-local (network connection) attempt

lunash:>hsm zeroize
Error:  'hsm zeroize' can only be run from the local console. 
 Login as 'admin' using the serial port on the 
 SafeNet Network HSM before running this command.
Command Result : 0 (Success)
lunash:>
 

Local attempt

lunash:>hsm zeroize
CAUTION: Are you sure you wish to zeroize this HSM?
          All partitions and data will be erased.
          HSM level policies will not be changed. 
          All current NTLS and/or STC sessions will be terminated. 
          If you want policies reverted as well, use factory reset.
          Type 'proceed' to return the HSM to factory default, or
          'quit' to quit now.
          >
 > proceed
'hsm zeroize' successful.
Please wait while the HSM is reset to complete the process.
Command Result : 0 (success)