HSM Emergency Decommission Button

The SafeNet appliance includes a way to decommission the HSM, or permanently deny access to all objects on it, without need for either a serial console or a remote (SSH) connection.

To directly decommission the HSM inside the SafeNet appliance, press and release the small red button on the front panel.

>The appliance does not need to be powered on.

>The appliance does not need to have power cables connected.

You will need a small screw-driver or other tool to reach the Emergency Decommission button. This is intentional, to preclude accidental pressing of that button.

What the Emergency Decommission Button Does

When you press the Decommission button, all partitions and their contents are deleted, as well as the audit role, and the audit configuration. The HSM  policy settings are retained.

To bring the HSM back into service, you need to:

1. Reinitialize the HSM

2.Reinitialize the audit role and reconfigure auditing

3. Recreate the partitions

4.Reinitialize the partition roles

Event Summary

Here is what you would observe after the button is depressed:

>The LCD on the appliance front panel freezes. Communication to the HSM key card is blocked, as is the software process that polls the HSM for status.  

>At this point, you must power cycle the SafeNet appliance by depressing the momentary-contact START/STOP switch on the back panel of the system.  

>After restarting, writes a tamper log message to the messages syslog.

>The LunaSH command hsm show displays the text "Manually Zeroized: Yes", to signify that the system executed the decommission process.  

>The HSM key card must be reinitialized (hsm init) before you can begin using it again.

Comparison Summary

View a table that compares and contrasts the "Emergency Decommission" event with other deny access events or actions that are sometimes confused: Comparison of Destruction/Denial Actions.

Disabling Decommissioning

You can disable the decommissioning feature if you have the factory-installed Capability 46: Allow Disable Decommission and Policy 46: Disable Decommission (see HSM Capabilities and Policies). The primary reason for disabling decommissioning is to prevent the HSM from being automatically decommissioned due to loss of battery (see Tamper Events). If decommissioning is disabled, the SafeNet Luna Network HSM has an indefinite shelf life, as far as the battery is concerned.

To disable decommissioning

1.Ensure that the Disable Decommissioning capability is installed on the HSM. To verify that the capability is installed, enter the following command:

lunacm:> hsm showpolicies

If the capability is installed, Capability 46: Allow Disable Decommission and Policy 46: Disable Decommission are listed.

2.Enter the following command to enable Policy 46: Disable Decommission

lunacm:> hsm changehsmpolicy -policy 46 -value 1

When to Use the Emergency Decommission Button

The primary purpose of the decommission button is for a situation where the appliance is not responding, you wish to send it back to Gemalto, but you need a way to permanently prevent access to material contained within the HSM.

You might find other uses, in your organization.

What to do after decommission if the SafeNet Luna Network HSM is being returned to Gemalto

1.Obtain a Return Material Authorization and shipping instructions from Gemalto, if you have not already done so.

2.Pack the appliance and ship it to Gemalto.


Customer Support Portal

SafeNet Luna Network HSM 7.2 Product Documentation  25 November 2019  Copyright 2001-2019 Thales. All rights reserved.