HSM Emergency Decommission Button

The Luna appliance includes a way to decommission the HSM, or permanently deny access to all objects on it, without need for either a serial console or a remote (SSH) connection.

To directly decommission the HSM inside the Luna appliance, press and release the small red button on the front panel.

>The appliance does not need to be powered on.

>The appliance does not need to have power cables connected.

You will need a small screw-driver or other tool to reach the Emergency Decommission button. This is intentional, to preclude accidental pressing of that button.

What the Emergency Decommission Button Does

When you press the Decommission button, all partitions and their contents are deleted, as well as the audit role, and the audit configuration. The HSM policy settings are retained.

To bring the HSM back into service, you need to:

1. Reinitialize the HSM

2.Reinitialize the audit role and reconfigure auditing

3. Recreate the partitions

4.Reinitialize the partition roles

Event Summary

Here is what you would observe after the button is depressed:

>The LCD on the appliance front panel freezes. Communication to the HSM key card is blocked, as is the software process that polls the HSM for status.

>At this point, you must power cycle the Luna appliance by depressing the momentary-contact START/STOP switch on the back panel of the system.

>After restarting, writes a tamper log message to the messages syslog.

>lunash:> hsm show displays the text "Manually Zeroized: Yes", to signify that the system executed the decommission process.

>The HSM must be re-initialized (lunash:> hsm init) before you can begin using it again.

Comparison Summary

View a table that compares and contrasts the "Emergency Decommission" event with other deny access events or actions that are sometimes confused: Comparison of Destruction/Denial Actions.

Disabling Decommissioning

You can disable the decommissioning feature if you have the factory-installed Capability 46: Allow Disable Decommission and Policy 46: Disable Decommission (see HSM Capabilities and Policies). The primary reason for disabling decommissioning is to prevent the HSM from being automatically decommissioned due to loss of battery (see Tamper Events). If decommissioning is disabled, the Luna Network HSM has an indefinite shelf life, as far as the battery is concerned.

To disable decommissioning

1.Ensure that the Disable Decommissioning capability is installed on the HSM. To verify that the capability is installed, enter the following command:

lunash:> hsm showpolicies

If the capability is installed, Capability 46: Allow Disable Decommission and Policy 46: Disable Decommission are listed.

2.Enable Policy 46: Disable Decommission.

lunash:> hsm changepolicy -policy 46 -value 1

When to Use the Emergency Decommission Button

The primary purpose of the decommission button is for a situation where the appliance is not responding, you wish to send it back to Thales, but you need a way to permanently prevent access to material contained within the HSM.

You might find other uses, in your organization.

What to do after decommission if the Luna Network HSM is being returned to Thales

1.Obtain a Return Material Authorization and shipping instructions from Thales, if you have not already done so.

2.Pack the appliance and ship it to Thales.