Zeroizing or Resetting the HSM to Factory Conditions

During the lifetime of a Luna HSM, you might have cause to take the HSM out of service, and wish to perform actions to ensure that no trace of your sensitive material remains. Those events might include:

>Placing the unit into storage, perhaps as a spare

>Shipping to another location or business unit in your organization

>Shipping the unit back to Thales for repair/re-manufacture

>Removing the HSM permanently from operational use, for disposal at end-of-life

This chapter describes the available options in the following sections:

>Comparing Zeroize and Factory Reset

>HSM Zeroization

>Resetting the Luna USB HSM 7 to Factory Condition

>Stored Data Integrity

Comparing Zeroize and Factory Reset

You can clear the contents of your Luna HSM, or the HSM may be cleared in response to an event. How this affects the contents and configuration of your HSM depends on whether the user partitions were deleted or whether the HSM was zeroized or factory reset as detailed below:

Action	Command/Event	Description
Erase User Partitions	>Enable or disable a destructive HSM policy	Destroy/erase the user partition, but do not zeroize the HSM. To bring the HSM back into service, you need to: 1.Recreate the partition 2.Reinitialize the partition roles
Zeroize	>Too many bad login attempts on the HSM SO account >lunacm:> hsm zeroize	Deletes all partitions and their contents, but retains the HSM configuration (audit role and configuration, policy settings). To bring the HSM back into service, you need to: 1. Reinitialize the HSM 2.Recreate the partition 3.Reinitialize the partition roles
Factory Reset	lunacm:> hsm factoryreset	Deletes the application partition and its contents, and resets all roles and policy configurations to their factory default values. To bring the HSM back into service, you need to completely reconfigure the HSM as though it were new from the factory.

Action

Command/Event

Description

Erase User Partitions

>Enable or disable a destructive HSM policy

Destroy/erase the user partition, but do not zeroize the HSM. To bring the HSM back into service, you need to:

1.Recreate the partition

2.Reinitialize the partition roles

Zeroize

>Too many bad login attempts on the HSM SO account

>lunacm:> hsm zeroize

Deletes all partitions and their contents, but retains the HSM configuration (audit role and configuration, policy settings). To bring the HSM back into service, you need to:

1. Reinitialize the HSM

2.Recreate the partition

3.Reinitialize the partition roles

Factory Reset

lunacm:> hsm factoryreset

Deletes the application partition and its contents, and resets all roles and policy configurations to their factory default values. To bring the HSM back into service, you need to completely reconfigure the HSM as though it were new from the factory.

HSM Zeroization

In the context of HSMs in general, the term "zeroize" means to erase all plaintext keys. Some HSMs keep all keys in plaintext within the HSM boundary. Luna HSMs do not.

In the context of Luna HSMs, keys at rest (keys or objects that are stored in the HSM) are encrypted. Keys are decrypted into a volatile working memory space inside the HSM only while they are being used. Items in volatile memory disappear when power is removed. The action that we loosely call "zeroizing", or clearing, erases volatile memory as well as destroying the key that encrypts stored objects.

Any temporarily decrypted keys are destroyed, and all customer keys on the HSM are immediately rendered inaccessible and unrecoverable whenever you:

>perform hsm factoryreset

>make too many bad login attempts on the SO account

>set a "destructive" HSM policy

The KEK (key encryption key that encrypts all user objects, partition structure, cloning vectors, masking vectors, etc.) is destroyed by a zeroization (erasure) or decommission event. At that point, any objects or identities in the HSM become effectively random blobs of bits that can never be decoded.

NOTE The next HSM power-up following a KEK zeroization automatically erases the contents of user storage, which were already an indecipherable blob without the original KEK. That is, any zeroizing event instantly makes encrypted objects unusable, and as soon as power is re-applied, the HSM immediately erases even the encrypted remains before it allows further use of the HSM.

The HSM must now be re-initialized in order to use it again, and initialization overwrites the HSM with new user parameters. Everything is further encrypted with a new KEK unique to that HSM.

Keys not encrypted by the KEK are those that require exemption and are not involved in user identities or user objects:

> The Master Tamper Key, which enables tamper handling

> The Remote PED Vector, to allow Remote PED-mediated recovery from tamper or from Secure Transport Mode

> The hardware origin key that certifies the HSM hardware as having been built by Thales

Resetting the Luna USB HSM 7 to Factory Condition

These instructions will allow you to restore your Luna USB HSM 7 to its original factory configuration. The HSM is zeroized, all partitions erased, and HSM policies are returned to their default settings.

Prerequisites

>Only the HSM SO can perform factory reset.

To reset the HSM to factory condition

1.Set the active slot to the admin partition and log in as HSM SO.

lunacm:> slot set -slot <slotnum>

lunacm:> role login -name so

2.Reset the HSM to factory settings.

lunacm:> hsm factoryreset



	SUPPORT	LEGAL
Luna USB HSM 7 Documentation © Copyright 2001-2024, Thales Group Last Updated: 2024-06-19 09:50:36 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information