Zeroizing or Resetting the HSM to Factory Conditions
During the lifetime of a Luna HSM, you might have cause to take the HSM out of service, and wish to perform actions to ensure that no trace of your sensitive material remains. Those events might include:
>Placing the unit into storage, perhaps as a spare
>Shipping to another location or business unit in your organization
>Shipping the unit back to Thales for repair/re-manufacture
>Removing the HSM permanently from operational use, for disposal at end-of-life
This chapter describes the available options in the following sections:
>Comparing Zeroize and Factory Reset
>Resetting the Luna USB HSM 7 to Factory Condition
Comparing Zeroize and Factory Reset
You can clear the contents of your Luna HSM, or the HSM may be cleared in response to an event. How this affects the contents and configuration of your HSM depends on whether the user partitions were deleted or whether the HSM was zeroized or factory reset as detailed below:
Action | Command/Event | Description |
---|---|---|
Erase User Partitions |
>Enable or disable a destructive HSM policy |
Destroy/erase the user partition, but do not zeroize the HSM. To bring the HSM back into service, you need to: 1.Recreate the partition 2.Reinitialize the partition roles |
Zeroize |
>Too many bad login attempts on the HSM SO account >lunacm:> hsm zeroize |
Deletes all partitions and their contents, but retains the HSM configuration (audit role and configuration, policy settings). To bring the HSM back into service, you need to: 1. Reinitialize the HSM 2.Recreate the partition 3.Reinitialize the partition roles |
Factory Reset | lunacm:> hsm factoryreset | Deletes the application partition and its contents, and resets all roles and policy configurations to their factory default values. To bring the HSM back into service, you need to completely reconfigure the HSM as though it were new from the factory. |
HSM Zeroization
In the context of HSMs in general, the term "zeroize" means to erase all plaintext keys. Some HSMs keep all keys in plaintext within the HSM boundary. Luna HSMs do not.
In the context of Luna HSMs, keys at rest (keys or objects that are stored in the HSM) are encrypted. Keys are decrypted into a volatile working memory space inside the HSM only while they are being used. Items in volatile memory disappear when power is removed. The action that we loosely call "zeroizing", or clearing, erases volatile memory as well as destroying the key that encrypts stored objects.
Any temporarily decrypted keys are destroyed, and all customer keys on the HSM are immediately rendered inaccessible and unrecoverable whenever you:
>perform hsm factoryreset
>make too many bad login attempts on the SO account
>set a "destructive" HSM policy
The KEK (key encryption key that encrypts all user objects, partition structure, cloning vectors, masking vectors, etc.) is destroyed by a zeroization (erasure) or decommission event. At that point, any objects or identities in the HSM become effectively random blobs of bits that can never be decoded.
NOTE The next HSM power-up following a KEK zeroization automatically erases the contents of user storage, which were already an indecipherable blob without the original KEK. That is, any zeroizing event instantly makes encrypted objects unusable, and as soon as power is re-applied, the HSM immediately erases even the encrypted remains before it allows further use of the HSM.
The HSM must now be re-initialized in order to use it again, and initialization overwrites the HSM with new user parameters. Everything is further encrypted with a new KEK unique to that HSM.
Keys not encrypted by the KEK are those that require exemption and are not involved in user identities or user objects:
> The Master Tamper Key, which enables tamper handling
> The Remote PED Vector, to allow Remote PED-mediated recovery from tamper or from Secure Transport Mode
> The hardware origin key that certifies the HSM hardware as having been built by Thales
Resetting the Luna USB HSM 7 to Factory Condition
These instructions will allow you to restore your Luna USB HSM 7 to its original factory configuration. The HSM is zeroized, all partitions erased, and HSM policies are returned to their default settings.
To reset the HSM to factory condition
1.Set the active slot to the admin partition.
lunacm:> slot set -slot <slotnum>
2.Reset the HSM to factory settings.
lunacm:> hsm factoryreset