Decommissioning the HSM Card

The Luna PCIe HSM is equipped with a two-pin decommission jumper header, as illustrated below.

By default, short-circuiting the decommission jumper header decommissions the HSM. You can use the blade of a screwdriver, or other conductive tool to short-circuit the two pins of the decommission header, or you can connect a switch to the decommission header if desired. Power is not required to decommission the HSM, that is, you can decommission the HSM after removing it from the chassis.

When you decommission a Luna PCIe HSM, the HSM is zeroized, all user accounts are deleted, and the HSM is returned to its factory state. Any firmware or partition upgrade packs installed on the HSM are retained.

You can also set HSM Policy 40: Decommission on Tamper to automatically decommission the HSM for selected tamper events. See Tamper Events for details.

Disabling Decommissioning

You can disable the decommissioning feature if desired, by enabling HSM Policy 46: Disable Decommission (see HSM Capabilities and Policies). The primary reason for disabling decommissioning is to prevent the HSM from being automatically decommissioned due to loss of battery (see Tamper Events). If decommissioning is disabled, the Luna PCIe HSM has an indefinite shelf life, as far as the battery is concerned.

To disable decommissioning

1.Launch LunaCM and log in as HSM SO.

lunacm:>role login -name so

2.Enable HSM Policy 46: Disable Decommission:

lunacm:> hsm changehsmpolicy -policy 46 -value 1