hsm init
Initialize the HSM in the Luna Network HSM 7. Initialization assigns an HSM label, creates an HSM Security Officer (HSM SO), creates or associates a Cloning Domain (with authentication) for the HSM, and applies other settings that make the HSM available for use.
CAUTION! Initializing the HSM erases all existing data, including application partitions and their data. Partitions then must be recreated with the partition create command. Because this is a destructive command, the user is asked to “proceed” unless the -force switch is provided at the command line. If you invoke hsm init and then type quit at the prompt, initialization does not take place (meaning that you do not lose existing token/HSM contents), but any current login or activation state is closed, whether you abort the command or not.
For more information, see Initializing the HSM.
User Privileges
Users with the following privileges can perform this command:
>Admin
Syntax
hsm init -label <hsm_label> [-domain <hsm_domain> | -defaultdomain] [-password <hsm_admin_password>] [-applytemplate <filename>] [-authtimeconfig] [-force]
|
Argument(s) |
Shortcut |
Description |
|---|---|---|
| -applytemplate <filename> | -ap | Apply an HSM policy template. This feature requires minimum Luna HSM Firmware 7.1.0 and Luna Appliance Software 7.1.0. |
| -authtimeconfig | -a |
Specifies that the HSM SO role must be logged in to configure the time. |
| -defaultdomain | -de |
This option is deprecated. It applies to password-authenticated HSMs only. It allows you to set a default domain that is compatible with certain legacy HSMs, instead of specifying a unique domain string with -domain. |
| -domain <hsm_domain> | -do |
Specifies the key cloning domain string for the HSM Admin partition. It applies to password-authenticated HSMs only. This string is not required for any key cloning or crypto operations on application partitions. The HSM domain is a legacy feature that must be set, but has no practical function on Luna 7 HSMs. NOTE This is distinct from the domain on an application partition, which is a critical component required for key cloning, backup/restore, and high availability groups. Refer to Domain Planning for more information. The domain string must be 1-128 characters in length. The following characters are allowed:
The following characters are problematic or invalid and must not be used in a domain string: Spaces are allowed, as long as the leading character is not a space; to specify a domain string with spaces using the -domain option, enclose the string in double quotation marks. For password-authenticated HSMs, the domain string should match the complexity of the partition password. |
| -force | -f |
Force the action without prompting. |
| -label <hsm_label> | -l |
Specifies the label to assign to the HSM. The HSM label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. Only alphanumeric characters and the underscore are allowed:
|
| -password <HSMSO_password> | -p |
Specifies the password to be used as login credential by the HSM SO. For multifactor quorum-authenticated HSMs, the Luna PED is used for the HSM SO credential, and data input for this value is ignored. This parameter is required in password-authenticated HSMs. It is ignored in multifactor quorum-authenticated HSMs. In LunaSH, HSM role passwords must be 8-255 characters in length. The following characters are allowed:
The following characters are invalid or problematic and must not be used within passwords: Spaces are allowed; to specify a password with spaces, enclose the password in double quotation marks. |
Example
Multifactor Quorum-authenticated HSMs
If the HSM has been factory reset, then a complete "hard" initialization is performed when you invoke the hsm init command.
lunash:> hsm init -label myluna
CAUTION: Are you sure you wish to re-initialize this HSM?
All partitions and data will be erased. Type 'proceed' to initialize the HSM, or 'quit' to quit now.
> proceed
Luna PED operation required to initialize HSM - use Security Officer (blue) PED Key
Luna PED operation required to login as HSM Administrator - use Security Officer (blue) PED Key
Luna PED operation required to generate cloning domain - use Domain (red) PED Key
'hsm init successful'
Command result : 0 (Success)
If the HSM is NOT in factory reset condition when you invoke the hsm init command, then a "soft" initialization is performed - while the partitions and contents are destroyed, the Security officer/HSM Administrator identity and the Domain are preserved. The SO must be logged into the HSM to run HSM init when the HSM is not in factory reset condition.
lunash:> hsm init -label myluna
Warning: This HSM is not in the factory reset (zeroized) state. You must present the current HSM Admin login credentials to clear the HSM contents. CAUTION: Are you sure you wish to re-initialize this HSM? All partitions and data will be erased. Type 'proceed' to initialize the HSM, or 'quit' to quit now. > proceed Luna PED operation required to initialize HSM - use Security Officer (blue) PED Key 'hsm -init successful' Command result : 0 (Success)
