HSM Zeroization
In the context of HSMs in general, the term "zeroize" means to erase all plaintext keys. Some HSMs keep all keys in plaintext within the HSM boundary. Luna HSMs do not.
In the context of Luna HSMs, keys at rest (keys or objects that are stored in the HSM/cryptographic module) are encrypted. Keys are decrypted into a volatile working memory space inside the HSM only while they are being used. Items in volatile memory disappear when power is removed. The action that we loosely call "zeroizing", or clearing, erases volatile memory as well as destroying the key that encrypts stored objects.
Any temporarily decrypted keys are destroyed, and all customer keys on the HSM are immediately rendered inaccessible and unrecoverable whenever you:
>perform hsm factoryreset
>make too many bad login attempts on the SO account
>short the pins of the decommission header
>set a "destructive" HSM policy
>perform HSM firmware rollback
The KEK (key encryption key that encrypts all user objects, partition structure, cloning vectors, masking vectors, etc.) is destroyed by a zeroization (erasure) or decommission event. At that point, any objects or identities in the HSM become effectively random blobs of bits that can never be decoded.
NOTE The next HSM power-up following a KEK zeroization automatically erases the contents of user storage, which were already an indecipherable blob without the original KEK. That is, any zeroizing event instantly makes encrypted objects unusable, and as soon as power is re-applied, the HSM immediately erases even the encrypted remains before it allows further use of the HSM.
The HSM must now be re-initialized in order to use it again, and initialization overwrites the HSM with new user parameters. Everything is further encrypted with a new KEK unique to that HSM.
Keys not encrypted by the KEK are those that require exemption and are not involved in user identities or user objects:
> The Master Tamper Key, which enables tamper handling
> The Remote PED Vector, to allow Remote PED-mediated recovery from tamper or from Secure Transport Mode
> The hardware origin key that certifies the HSM hardware as having been built by Thales