|
Home > |
HSM Administration Guide > Secure Transport Mode
|
|---|
Secure Transport Mode (STM) provides a method for verifying whether or not an HSM has been tampered while not in your possession, such as when you ship the HSM to another location, or place it in storage. For example, you could use STM in a workflow where you pre-configure the capabilities for your HSMs at a central location before deploying them to a regional location. Enabling STM before shipping the HSMs allows you to confirm that they have not been tampered between the time they were configured at the central location to the time they were received at the regional location.
Only the HSM SO can place an initialized HSM into STM, or recover the HSM from STM. When you enable STM, it temporarily locks the HSM, retaining its current configuration and key material, and recording its current state. STM generates a unique 16-character verification string and a 16-character random user string. These unique strings allow you to verify whether or not the HSM has been tampered while in STM. When recovering from STM, you will be asked to provide the random user string:
• If the verification string generated matches the verification string generated when you placed the HSM in STM, the HSM has not been tampered while in STM.
•If the verification string generated does not match the verification string generated when you placed the HSM in STM, the HSM has been tampered while in STM, or a different random user string has been entered.
Note: The string is for verification purposes only. Entering a different string will not prevent you from recovering the HSM from STM.
See also Tamper Events.
For command syntax, see hsm stm.
Only the HSM SO can place an initialized HSM into STM. When the HSM is zeroized, HSM SO log in is not required.
CAUTION: If the HSM contains sensitive key material, ensure that you have a full backup of the HSM contents before proceeding.
1.Log in as the HSM SO.
2.Backup the HSM contents. See Backup and Restore HSMs and Partitions for details.
3.Enter the following command to place the HSM into STM:
hsm stm transport
4.After confirming the action, you are presented with:
–Verification String: <XXXX-XXXX-XXXX-XXXX>
–Random User String: <XXXX-XXXX-XXXX-XXXX>
Record both strings. They are required to verify that the HSM has not been tampered while in STM.
CAUTION: Transmit the verification string and random user string to the receiver of the HSM using a secure method, distinct from the transport of the physical HSM, so that it is not possible for an attacker to have access to both the HSM and the verification codes while the HSM is in STM.
Only the HSM SO can recover an initialized HSM that has been placed into STM. When the HSM is zeroized, HSM SO log in is not required.
New HSMs are shipped from the factory in Secure Transport Mode (STM). You must recover from STM before you can initialize the HSM.
As part of the delivery of your new HSM, you should have received an email from Gemalto Client Services containing two 16-digit strings:
•Random User String: XXXX-XXXX-XXXX-XXXX
•Verification String: XXXX-XXXX-XXXX-XXXX
You will need both of these strings to recover from STM.
1.Ensure that you have the two strings that were presented when the HSM was placed into STM, or that were emailed to you if this is a new HSM.
2.If the HSM is initialized, log in as the HSM SO. If this is a new or zeroized HSM, skip to the next step.
3.Enter the following command to recover from STM, using the random user string that was displayed when the HSM was placed in STM, or that was emailed to you if this is a new HSM.:
lunash:> hsm stm recover -randomuserstring <XXXX-XXXX-XXXX-XXXX>
4.You are presented with a verification string:
– if the verification string matches the original verification string, the HSM has not been tampered, and can be safely re-deployed.
– if the verification string does not match the original verification string, the HSM has been tampered while in STM.
5. Enter proceed to recover from STM (regardless of whether the strings match or not), or enter quit to remain in STM.
1.If this is a new HSM, contact Gemalto Technical Support. Otherwise, proceed with the following steps.
2.Enter the following command to determine the cause of the tamper condition:
hsm tamper show
See Tamper Events for more information.
3.Take the appropriate action. If you decide that the tamper condition warrants resetting the HSM, enter the following commands to reset the HSM to its factory settings.
hsm factoryreset
sysconf config factoryreset -service all
4.Following a factory reset, restore your settings and key material from backup. See Backup and Restore HSMs and Partitions for details.