hsm init
Initialize the Luna HSM. Initializing the HSM erases all existing data, including any HSM Partition and its data. The HSM Partition then must be recreated with the partition create command. Because this is a destructive command, the user is asked to “proceed” unless the -force switch is provided at the command line.
NOTE To change the authentication type of a Luna USB HSM 7 between Password auth and Multifactor Quorum auth, or the reverse, (with the -ipwd
option or the -iped
option of the hsm init command
) requires a factory reset first (hsm factoryreset).
The factory reset is not needed if you are initializing the HSM to the same mode of authentication as is currently configured.
NOTE The hsm commands appear only when LunaCM's active slot is set to the administrative partition.
Syntax
hsm init -label <label> [-password <SOpassword>] [-domain <domain> | -defaultdomain] [-initwithped | -initwithpwd] [-applytemplate <filepath/filename>] [-auth] [-force]
Argument(s) | Shortcut | Description |
---|---|---|
-applytemplate <filepath/filename> | -at | Apply a policy template located in the specified directory. |
-auth | -a | Log in after the initialization. |
-domain <domain> | -d |
Specifies the key cloning domain string for the HSM Admin partition. It applies to password-authenticated HSMs only. This string is not required for any key cloning or crypto operations on application partitions. The HSM domain is a legacy feature that must be set, but has no practical function on Luna 7 HSMs. NOTE This is distinct from the domain on an application partition, which is a critical component required for key cloning, backup/restore, and high availability groups. Refer to Domain Planning for more information. |
-defaultdomain | -def | This option is deprecated. It applies to password-authenticated HSMs only. It allows you to set a default domain that is compatible with certain legacy HSMs, instead of specifying a unique domain string with -domain. |
-force | -f | Force the action - no prompts. Useful for scripting. |
-initwithped | -iped | Initialize a Backup or USB HSM with multifactor quorum authentication. This option is supported only when initializing an HSM that is in a zeroized state. This option is mutually exclusive with the -initwithpwd option. |
-initwithpwd | -ipwd | Initialize a Backup or USB HSM with password authentication. This option is supported only when initializing an HSM that is in a zeroized state. This option is mutually exclusive with the -initwithped option. |
-label <label> | -l |
Specifies the label to assign to the HSM. The HSM label created during initialization must be 1-32 characters in length. If you specify a longer label, it will automatically be truncated to 32 characters. The following characters are allowed:
Spaces are allowed; enclose the label in double quotes if it includes spaces. Including both spaces and quotation marks in a label may cause unexpected labeling behavior. |
-password | -p |
HSM SO password. This option is required for a password authenticated HSM. If you do not provide the password string in the command, you are prompted for it, and the characters that you type are obscured by asterisks (*). This option is ignored for multifactor quorum-authenticated HSMs. In LunaCM, passwords
Double quotation marks ( Spaces are allowed; to specify a password with spaces using the -password or -newpw option of a command, enclose the password in double quotation marks. |
Example
Soft init (no factory reset)
lunacm:>hsm init -label myLuna You are about to initialize the HSM that is already initialized. All partitions of the HSM will be destroyed. You are required to provide the current SO password. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Enter password for SO: ******** Command Result : No Error
Hard init (with factory reset first)
lunacm:>hsm init -label myLuna You are about to initialize the HSM. All contents of the HSM will be destroyed. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Enter password for SO: ******** Re-enter password for SO: ******** Option -domain was not specified. It is required. Enter the domain name: ********** Re-enter the domain name: ********** Command Result : No Error
HSM init on Luna Backup HSM
lunacm:>hsm init -label mybackuphsm -password s0mepw -domain s0med0ma1n -force -auth -initwithpwd Initialization was successful and "-auth" was specified. Performing an SO login. Command Result : No Error lunacm:>hsm si HSM Label -> mybackupHSM Manufacturer -> Safenet, Inc. HSM Model -> G5Backup HSM Serial Number -> 7000013 HSM Status -> OK Token Flags -> CKF_RNG CKF_LOGIN_REQUIRED CKF_RESTORE_KEY_NOT_NEEDED CKF_TOKEN_INITIALIZED Firmware Version -> 6.10.1 Rollback Firmware Version -> Not Available ......[output snipped for space].... License Count -> 4 1. 621000028-000 Luna Backup HSM base configuration 1. 621000048-001 621-000048-001SCU,G5,BU,Partitions100 2. 621000006-001 Enabled for 15.5 megabytes of object storage 2. 621000008-001 Enable remote PED capability Command Result : No Error