hsm factoryreset

Set the HSM back to its factory default settings, deleting the HSM SO, all users, and all objects. This command can be run only via a local serial connection; it is not accepted via SSH.

CAUTION!   This command deletes all objects and users on the HSM, leaving it in a zeroized state.

This command does not require HSM login. The assumption is that your organization's physical security protocols prevent unauthorized physical access to the HSM. If those protocols failed, an unauthorized person would have no access to the HSM contents, and would be limited to temporary denial of service by destruction of HSM contents.

Because this is a destructive command, you are asked whether to “proceed” unless the -force switch is provided at the command line. See Comparison of Destruction/Denial Actions to view a table that compares and contrasts various "deny access" events or actions that are sometimes confused.

This command:

>Erases the currently-initialized Auditor role

>Resets HSM policies

>Erases the RPV (Remote PED Vector or orange PED key authentication data)

The RPV data is required for Remote PED operations to function, including remote HSM initialization, if needed, so RPV must be reinstated after hsm factoryreset if you want to do any remote administration of the HSM.

NOTE   If the operation erases the RPV as described above, and you previously established a remote PED connection (using hsm ped connect), you must tear down the remote PED connection (using hsm ped disconnect) before you reinitialize the RPV and establish a new remote PED connection. The hsm factoryReset command operates on the internal HSM only, and not on software processes responsible for the remote PED connection.

For eIDAS compliance, 'hsmrecover' function is added to factoryreset commands - see Stored Data Integrity.  

The standalone "hsmrecover" tool in the tools folder performs the same action, but can present additional messages that might be useful to Support engineers.

Related commands

This command affects only the HSM, and not the settings for other components of the appliance. The command sysconf config factoryreset affects appliance settings external to the HSM. To bring your entire Luna Network HSM as close as possible to original configuration, as shipped from the factory, run both commands.

If you wish to zeroize (remove all partitions, roles except Auditor, and contents) while preserving HSM policies and the RPV - that is, zeroize before shipping the HSM off to be remotely configured - use the command hsm zeroize instead.

User Privileges

Users with the following privileges can perform this command:

>Admin

Syntax

hsm factoryreset [-force]

Argument(s)

Shortcut

Description

-force -f

Force the action without prompting.

Example

Non-local (network connection) attempt:

lunash:>hsm factoryreset


Error:  'hsm factoryReset' can only be run from the local 
        console. Login as 'admin' using the serial port on 
        the Luna SA before running this command.


Command Result : 65535 (Luna Shell execution)

Local attempt (pre-version 7.7.0 firmware):

lunash:>hsm factoryreset

CAUTION:  Are you sure you wish to reset this HSM to factory
          default settings? All partitions and data will be erased.
          Partition policies will be reverted to factory settings.
          HSM level policies will be reverted to factory settings.
          If you want to erase partitions and data only, use zeroize.
          Remote PED vector will be erased.
          Type 'proceed' to return the HSM to factory default, or
          'quit' to quit now.
          > proceed

'hsm factoryReset' successful.

Please wait while the HSM is reset to complete the process.
The remote PED vector (RPV) has been erased on HSM.

Command Result : 0 (success) 

 

Local attempt (firmware 7.7.0 and newer)

lunash:>hsm factoryReset

CAUTION: Are you sure you wish to reset this HSM to factory
default settings? All partitions and data will be erased.
Partition policies will be reverted to factory settings.
HSM level policies will not be changed.
Type 'proceed' to return the HSM to factory default, or
'quit' to quit now.
> proceed
Error: Unable to communicate with HSM.

Restarting HSM card in progress. Please wait...
RESET: Input/output error

Error: Unable to communicate with HSM.

HSM reset operation may take several minutes to complete.
Please DO NOT interrupt the operation or reboot the system while the reset is in progress.

....resetting device.
Current Boot Loader: Boot Loader Revision K7 1.1.1
HSM Recover command stored for Firmware!
HSM Recover will be done by Firmware after next card reset.
The HSM Recover may take a few minutes.
....resetting device 1 of 2 times
....resetting device.
Firmware performed HSM Recover command!
....resetting device 2 of 2 times
Firmware restarted without error.

'hsm factoryReset' successful.

Please wait while the HSM is reset to complete the process.

Command Result : 0 (Success)