Resetting Passwords

Resetting is normally done by a higher authority when an authentication secret is lost/forgotten, or compromised, and is discussed separately from merely changing authentication when the user is in legitimate possession of the current authentication.

HSM

There is no provision to reset the HSM SO password (for Password Authenticated HSMs) or the blue PED key (for PED Authenticated or Trusted Path HSMs), except by re-initializing the HSM, which destroys the contents of the HSM and of any HSM partitions. You can change the password (or the secret on the appropriate blue PED key) with the hsm changepw command, but that requires that you know the current password (or have the current blue PED key).

The assumption, from a security standpoint, is that if you no longer have the ability to authenticate to the HSM (because you forgot the password or lost the PED key, or because an unauthorized person has changed the password or PED key), then the HSM is effectively compromised and must be re-initialized. Thus, no explicit "reset" command is provided.

The hsm init command does not require a login, and the hsm login command is not accepted if the HSM is in zeroized state.

For command syntax, see hsm changepw in the LunaSH Command Reference Guide.

Partition

The Partition SO is able to reset the Crypto Officer password or black PED key only if HSM policy 15: Enable SO reset of partition PIN is enabled. By default, this policy is not enabled.

If HSM policy 15: Enable SO reset of partition PIN is enabled and the Partition Crypto Officer is locked out after 10 bad login attempts, then the Partition SO can use the LunaCM role resetpw command to reset the Crypto Officer password or black PED key.

For command syntax, see role resetpw in the LunaCM Command Reference Guide.