stm recover

Recover the HSM from Secure Transport Mode (STM).

If the HSM is in initialized state, you must be logged in as HSM SO to recover from STM.

>for multifactor quorum authenticated HSMs the blue HSM SO PED key is required;

>for password authentication have the HSM SO password ready.

If the HSM is zeroized, no login is required.

NOTE   The stm commands appear only when LunaCM's active slot is set to the administrative partition on a Luna PCIe HSM 7, Luna USB HSM, or Luna Backup HSM 7. On Luna Backup HSM G5s, Secure Transport Mode is implemented using a secure recovery key (SRK). See About Luna Backup HSM G5 Secure Transport and Tamper Recovery and lunacm:> srk for more information. To access the STM feature on Luna Network HSM 7, use lunash:> hsm stm.

When you enter this command, include the random user string that was generated when the HSM was put into STM. A verification string will be displayed:

>If the verification string generated matches the string that was displayed when the HSM was put into STM (see stm transport), the HSM was not tampered with while in STM.

>If the verification string generated does not match the verification string generated when you placed the HSM in STM, this might indicate that the HSM has been tampered while in STM, or that an incorrect random user string has been entered..

NOTE   If the STM verification process fails due to a lost or incorrect verification string, you have the option of proceeding with the recovery of the HSM from STM mode. If the STM verification process fails due to a tamper, you can also choose to factory-reset the HSM to bring it back to a Factory state, and then re-initialize.

If you are confident the HSM has not been tampered with, you can still enter "proceed" to recover from STM. See Secure Transport Mode for more information.

CAUTION!   Before invoking the stm recover command, be very careful entering the SO authentication. A single failed attempt increments a counter that results in a change of the generated comparison string, which will cause STM verification to fail during Secure Transport Mode recovery.

Syntax

stm recover -randomuserstring <string>

Argument(s) Shortcut Description
-randomuserstring <string> -r

To confirm that the HSM was not tampered with while in STM, enter the random user string generated when it was placed in STM, in the format XXXX-XXXX-XXXX-XXXX.

Example

lunacm:>stm recover -randomuserstring Gxbx-dXFM-x4bW-bMWN

        Calculating the verification string (may take a few seconds)...

        Verification String: SL7P-GWtA-JFKt-psCH

        Please verify the string before you continue...
        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now ->proceed

        Recovering the HSM from transport...
        Successfully recovered from Transport Mode.

Command Result : No Error