RMA and Shipping Back to Thales
Although rare, it could happen that you need to ship a Luna PCIe HSM 7 back to Thales. Contact your Thales representative to obtain the Return Material Authorization (RMA) and instructions for packing and shipping. You might wish (or your security policy might require you) to take maximum precaution with any contents in your HSM before it leaves your possession.
RMA Process for Thales Luna HSM Devices Containing Sensitive Customer Key Material
Thales Luna Hardware Security Modules (HSMs) are designed, manufactured and tested to the highest level of quality. On occasion, a product may fail in the field after use by the customer. Products that fail in the field, when covered by a maintenance agreement or during the warranty period, may be eligible for an RMA.
Secure RMA Without Access to Key Material
Thales recognizes that Luna HSMs may contain sensitive customer key material. In case of an RMA, Thales does not have access to key material:
>Keys stored in the HSM are encrypted using a master key based on the customer’s authentication method.
>It is impossible for Thales to retrieve or use sensitive customer key material from either a functioning or a failed HSM without the password or PED keys.
>Without these authentication devices or passwords, Thales cannot access key material in the device, even by reading the flash memory, as per FIPS 140-2 Level 3 and Common Criterial EAL4+ validation processes.
HSM Decommissioning
The general practice before returning a Luna HSM under an RMA is to decommission the HSM following the instructions in the user documentation (see Decommissioning the HSM Card for instructions). This deletes the master key.
NOTE Ensure you have a backup of your keys.