hsm init

Initialize the Luna HSM. Initializing the HSM erases all existing data, including any HSM Partition and its data. The HSM Partition then must be recreated with the partition create command. Because this is a destructive command, the user is asked to “proceed” unless the -force switch is provided at the command line.

NOTE   To change the authentication type of a Luna USB HSM 7 between Password auth and Multifactor Quorum auth, or the reverse, (with the -ipwd option or the -iped option of the hsm init command) requires a factory reset first (hsm factoryreset).

The factory reset is not needed if you are initializing the HSM to the same mode of authentication as is currently configured.

NOTE   The hsm commands appear only when LunaCM's active slot is set to the administrative partition.

Syntax

hsm init -label <label> [-password <SOpassword>] [-domain <domain> | -defaultdomain] [-initwithped | -initwithpwd] [-applytemplate <filepath/filename>] [-auth] [-force]

Argument(s) Shortcut Description
-applytemplate <filepath/filename> -at Apply a policy template located in the specified directory.
-auth -a Log in after the initialization.
-domain <domain> -d

Specifies the key cloning domain string for the HSM Admin partition. It applies to password-authenticated HSMs only. This string is not required for any key cloning or crypto operations on application partitions. The HSM domain is a legacy feature that must be set, but has no practical function on Luna 7 HSMs.

NOTE   This is distinct from the domain on an application partition, which is a critical component required for key cloning, backup/restore, and high availability groups. Refer to Domain Planning for more information.

-defaultdomain -def This option is deprecated. It applies to password-authenticated HSMs only. It allows you to set a default domain that is compatible with certain legacy HSMs, instead of specifying a unique domain string with -domain.
-force -f Force the action - no prompts. Useful for scripting.
-initwithped -iped Initialize a Backup or USB HSM with multifactor quorum authentication. This option is supported only when initializing an HSM that is in a zeroized state. This option is mutually exclusive with the -initwithpwd option.
-initwithpwd -ipwd Initialize a Backup or USB HSM with password authentication. This option is supported only when initializing an HSM that is in a zeroized state. This option is mutually exclusive with the -initwithped option.
-label <label> -l

Specifies the label to assign to the HSM.

The HSM label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:'",.<>?`~

Spaces are allowed; enclose the label in double quotes if it includes spaces. Including both spaces and quotation marks in a label may cause unexpected labeling behavior.

-password -p

HSM SO password. This option is required for a password authenticated HSM. If you do not provide the password string in the command, you are prompted for it, and the characters that you type are obscured by asterisks (*). This option is ignored for multifactor quorum-authenticated HSMs.

In LunaCM, passwords and activation challenge secrets must be 8-255 characters in length. The following characters are allowed:

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 !@#$%^&*()-_=+[]{}\|/;:',.<>?`~

Double quotation marks (") are problematic and should not be used within passwords.

Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks.

Example

Soft init (no factory reset)

lunacm:>hsm init -label myLuna

        You are about to initialize the HSM that is already initialized.
        All partitions of the HSM will be destroyed.

        You are required to provide the current SO password.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now ->proceed

        Enter password for SO: ********

Command Result : No Error

Hard init (with factory reset first)

lunacm:>hsm init -label myLuna

        You are about to initialize the HSM.
        All contents of the HSM will be destroyed.

        Are you sure you wish to continue?

        Type 'proceed' to continue, or 'quit' to quit now ->proceed

        Enter password for SO: ********

        Re-enter password for SO: ********

        Option -domain was not specified.  It is required.

        Enter the domain name: **********

        Re-enter the domain name: **********

Command Result : No Error

HSM init on Luna Backup HSM

lunacm:>hsm init -label mybackuphsm -password s0mepw -domain s0med0ma1n -force -auth -initwithpwd

        Initialization was successful and "-auth" was specified.
        Performing an SO login.

Command Result : No Error

lunacm:>hsm si

        HSM Label -> mybackupHSM Manufacturer -> Safenet, Inc.
        HSM Model -> G5Backup
        HSM Serial Number -> 7000013
        HSM Status -> OK
        Token Flags ->
                CKF_RNG
                CKF_LOGIN_REQUIRED
                CKF_RESTORE_KEY_NOT_NEEDED
                CKF_TOKEN_INITIALIZED
        Firmware Version -> 6.10.1
        Rollback Firmware Version -> Not Available

......[output snipped for space]....

        License Count -> 4
                1. 621000028-000 Luna Backup HSM base configuration
                1. 621000048-001 621-000048-001SCU,G5,BU,Partitions100
                2. 621000006-001 Enabled for 15.5 megabytes of object storage
                2. 621000008-001 Enable remote PED capability

Command Result : No Error